Skip to content

Latest commit

 

History

History
141 lines (111 loc) · 11.5 KB

README.md

File metadata and controls

141 lines (111 loc) · 11.5 KB

Terraform Google Cloud Storage Module

This module makes it easy to create one or more GCS buckets, and assign basic permissions on them to arbitrary users.

The resources/services/activations/deletions that this module will create/trigger are:

  • One or more GCS buckets
  • Zero or more IAM bindings for those buckets

If you only wish to create a single bucket, consider using the simple bucket submodule instead.

Compatibility

This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v1.7.1.

Usage

Basic usage of this module is as follows:

module "gcs_buckets" {
  source  = "terraform-google-modules/cloud-storage/google"
  version = "~> 2.2"
  project_id  = "<PROJECT ID>"
  names = ["first", "second"]
  prefix = "my-unique-prefix"
  set_admin_roles = true
  admins = ["group:[email protected]"]
  versioning = {
    first = true
  }
  bucket_admins = {
    second = "user:[email protected],[email protected]"
  }
}

Functional examples are included in the examples directory.

Inputs

Name Description Type Default Required
admins IAM-style members who will be granted roles/storage.objectAdmin on all buckets. list(string) [] no
bucket_admins Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket admins. map(string) {} no
bucket_creators Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket creators. map(string) {} no
bucket_hmac_key_admins Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket HMAC Key admins. map(string) {} no
bucket_lifecycle_rules Additionnal lifecycle_rules for specific buckets. Map of lowercase unprefixed name => list of lifecycle rules to configure.
map(set(object({
# Object with keys:
# - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
# - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
action = map(string)

# Object with keys:
# - age - (Optional) Minimum age of an object in days to satisfy this condition.
# - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
# - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
# - matches_storage_class - (Optional) Comma delimited string for storage class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
# - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
# - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.
# - days_since_custom_time - (Optional) The number of days from the Custom-Time metadata attribute after which this condition becomes true.
# - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.
# - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.
condition = map(string)
})))
{} no
bucket_policy_only Disable ad-hoc ACLs on specified buckets. Defaults to true. Map of lowercase unprefixed name => boolean map(bool) {} no
bucket_storage_admins Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket storage admins. map(string) {} no
bucket_viewers Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket viewers. map(string) {} no
cors Set of maps of mixed type attributes for CORS values. See appropriate attribute types here: https://www.terraform.io/docs/providers/google/r/storage_bucket.html#cors set(any) [] no
creators IAM-style members who will be granted roles/storage.objectCreators on all buckets. list(string) [] no
default_event_based_hold Enable event based hold to new objects added to specific bucket. Defaults to false. Map of lowercase unprefixed name => boolean map(bool) {} no
encryption_key_names Optional map of lowercase unprefixed name => string, empty strings are ignored. map(string) {} no
folders Map of lowercase unprefixed name => list of top level folder objects. map(list(string)) {} no
force_destroy Optional map of lowercase unprefixed name => boolean, defaults to false. map(bool) {} no
hmac_key_admins IAM-style members who will be granted roles/storage.hmacKeyAdmin on all buckets. list(string) [] no
labels Labels to be attached to the buckets map(string) {} no
lifecycle_rules List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches_storage_class should be a comma delimited string.
set(object({
# Object with keys:
# - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
# - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
action = map(string)

# Object with keys:
# - age - (Optional) Minimum age of an object in days to satisfy this condition.
# - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
# - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
# - matches_storage_class - (Optional) Comma delimited string for storage class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
# - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
# - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.
# - days_since_custom_time - (Optional) The number of days from the Custom-Time metadata attribute after which this condition becomes true.
# - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.
# - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.
condition = map(string)
}))
[] no
location Bucket location. string "EU" no
logging Map of lowercase unprefixed name => bucket logging config object. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#logging any {} no
names Bucket name suffixes. list(string) n/a yes
prefix Prefix used to generate the bucket name. string n/a yes
project_id Bucket project id. string n/a yes
randomize_suffix Adds an identical, but randomized 4-character suffix to all bucket names bool false no
retention_policy Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy any {} no
set_admin_roles Grant roles/storage.objectAdmin role to admins and bucket_admins. bool false no
set_creator_roles Grant roles/storage.objectCreator role to creators and bucket_creators. bool false no
set_hmac_key_admin_roles Grant roles/storage.hmacKeyAdmin role to hmac_key_admins and bucket_hmac_key_admins. bool false no
set_storage_admin_roles Grant roles/storage.admin role to storage_admins and bucket_storage_admins. bool false no
set_viewer_roles Grant roles/storage.objectViewer role to viewers and bucket_viewers. bool false no
storage_admins IAM-style members who will be granted roles/storage.admin on all buckets. list(string) [] no
storage_class Bucket storage class. string "STANDARD" no
versioning Optional map of lowercase unprefixed name => boolean, defaults to false. map(bool) {} no
viewers IAM-style members who will be granted roles/storage.objectViewer on all buckets. list(string) [] no
website Map of website values. Supported attributes: main_page_suffix, not_found_page map(any) {} no

Outputs

Name Description
bucket Bucket resource (for single use).
buckets Bucket resources as list.
buckets_map Bucket resources by name.
name Bucket name (for single use).
names Bucket names.
names_list List of bucket names.
url Bucket URL (for single use).
urls Bucket URLs.
urls_list List of bucket URLs.

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

Service Account

User or service account credentials with the following roles must be used to provision the resources of this module:

  • Storage Admin: roles/storage.admin

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Storage JSON API: storage-api.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.