kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update gcs module to terraform 0.13

Browse Source
This commit is contained in:
Julio Castillo
2020-10-29 23:22:58 +01:00
parent 85fda5b1fe
commit 61d402fece
18 changed files with 174 additions and 324 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
modules/gcs/README.md
View File

@@ -7,21 +7,13 @@
## Example
```hcl
module "buckets" {
module "bucket" {
source = "./modules/gcs"
project_id = "myproject"
prefix = "test"
names = ["bucket-one", "bucket-two"]
bucket_policy_only = {
bucket-one = false
}
name = "my-bucket"
iam_members = {
bucket-two = {
"roles/storage.admin" = ["group:storage@example.com"]
}
}
iam_roles = {
bucket-two = ["roles/storage.admin"]
"roles/storage.admin" = ["group:storage@example.com"]
}
}
```
@@ -29,56 +21,38 @@ module "buckets" {
### Example with Cloud KMS
```hcl
module "buckets" {
module "bucket" {
source = "./modules/gcs"
project_id = "myproject"
prefix = "test"
names = ["bucket-one", "bucket-two"]
bucket_policy_only = {
bucket-one = false
}
name = "my-bucket"
iam_members = {
bucket-two = {
"roles/storage.admin" = ["group:storage@example.com"]
}
}
iam_roles = {
bucket-two = ["roles/storage.admin"]
}
encryption_keys = {
bucket-two = local.kms_key.self_link,
"roles/storage.admin" = ["group:storage@example.com"]
}
encryption_keys = local.kms_key.self_link
}
```
### Example with retention policy
```hcl
module "buckets" {
module "bucket" {
source = "./modules/gcs"
project_id = "myproject"
prefix = "test"
names = ["bucket-one", "bucket-two"]
bucket_policy_only = {
bucket-one = false
}
name = "my-bucket"
iam_members = {
bucket-two = {
"roles/storage.admin" = ["group:storage@example.com"]
}
}
iam_roles = {
bucket-two = ["roles/storage.admin"]
"roles/storage.admin" = ["group:storage@example.com"]
}
retention_policies = {
bucket-one = { retention_period = 100 , is_locked = true}
bucket-two = { retention_period = 900 , is_locked = false}
retention_period = 100
is_locked = true
}
logging_config = {
bucket-one = { log_bucket = bucket_name_for_logging , log_object_prefix = null}
bucket-two = { log_bucket = bucket_name_for_logging , log_object_prefix = "logs_for_bucket_two"}
log_bucket = bucket_name_for_logging
log_object_prefix = null
}
}
```
@@ -88,31 +62,25 @@ module "buckets" {
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| names | Bucket name suffixes. | <code title="list&#40;string&#41;">list(string)</code> | ✓ | |
| name | Bucket name suffix. | <code title="">string</code> | ✓ | |
| project_id | Bucket project id. | <code title="">string</code> | ✓ | |
| *uniform_bucket_level_access* | Optional map to enable object ACLs keyed by name, defaults to true. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *encryption_keys* | Per-bucket KMS keys that will be used for encryption. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">{}</code> |
| *force_destroy* | Optional map to set force destroy keyed by name, defaults to false. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *iam_members* | IAM members keyed by bucket name and role. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">{}</code> |
| *iam_roles* | IAM roles keyed by bucket name. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | | <code title="">{}</code> |
| *encryption_key* | KMS key that will be used for encryption. | <code title="">string</code> | | <code title="">null</code> |
| *force_destroy* | Optional map to set force destroy keyed by name, defaults to false. | <code title="">bool</code> | | <code title="">false</code> |
| *iam_members* | IAM members keyed by bucket name and role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> | | <code title="">{}</code> |
| *labels* | Labels to be attached to all buckets. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">{}</code> |
| *location* | Bucket location. | <code title="">string</code> | | <code title="">EU</code> |
| *logging_config* | Per-bucket logging. | <code title="map&#40;object&#40;&#123;&#10;log_bucket &#61; string&#10;log_object_prefix &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *logging_config* | Bucket logging configuration. | <code title="object&#40;&#123;&#10;log_bucket &#61; string&#10;log_object_prefix &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *prefix* | Prefix used to generate the bucket name. | <code title="">string</code> | | <code title="">null</code> |
| *retention_policies* | Per-bucket retention policy. | <code title="map&#40;object&#40;&#123;&#10;retention_period &#61; number&#10;is_locked &#61; bool&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *retention_policy* | Bucket retention policy. | <code title="object&#40;&#123;&#10;retention_period &#61; number&#10;is_locked &#61; bool&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *storage_class* | Bucket storage class. | <code title="">string</code> | | <code title="">MULTI_REGIONAL</code> |
| *versioning* | Optional map to set versioning keyed by name, defaults to false. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *uniform_bucket_level_access* | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | <code title="">bool</code> | | <code title="">true</code> |
| *versioning* | Enable versioning, defaults to false. | <code title="">bool</code> | | <code title="">false</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| bucket | Bucket resource (for single use). | |
| buckets | Bucket resources. | |
| name | Bucket name (for single use). | |
| names | Bucket names. | |
| names_list | List of bucket names. | |
| url | Bucket URL (for single use). | |
| urls | Bucket URLs. | |
| urls_list | List of bucket URLs. | |
| bucket | Bucket resource. | |
| name | Bucket name. | |
| url | Bucket URL. | |
<!-- END TFDOC -->

70
modules/gcs/main.tf
View File

@@ -15,85 +15,57 @@
*/
locals {
buckets = (
local.has_buckets
? [for name in var.names : google_storage_bucket.buckets[name]]
: []
)
# needed when destroying
has_buckets = length(google_storage_bucket.buckets) > 0
iam_pairs = var.iam_roles == null ? [] : flatten([
for name, roles in var.iam_roles :
[for role in roles : { name = name, role = role }]
])
iam_keypairs = {
for pair in local.iam_pairs :
"${pair.name}-${pair.role}" => pair
}
iam_members = var.iam_members == null ? {} : var.iam_members
prefix = (
var.prefix == null || var.prefix == "" # keep "" for backward compatibility
? ""
: join("-", [var.prefix, lower(var.location), ""])
)
kms_keys = {
for name in var.names : name => lookup(var.encryption_keys, name, null)
}
retention_policy = {
for name in var.names : name => lookup(var.retention_policies, name, null)
}
logging_config = {
for name in var.names : name => lookup(var.logging_config, name, null)
}
}
resource "google_storage_bucket" "buckets" {
for_each = toset(var.names)
name = "${local.prefix}${lower(each.key)}"
project = var.project_id
location = var.location
storage_class = var.storage_class
force_destroy = lookup(var.force_destroy, each.key, false)
uniform_bucket_level_access = lookup(var.uniform_bucket_level_access, each.key, true)
resource "google_storage_bucket" "bucket" {
name = "${local.prefix}${lower(var.name)}"
project = var.project_id
location = var.location
storage_class = var.storage_class
force_destroy = var.force_destroy
uniform_bucket_level_access = var.uniform_bucket_level_access
versioning {
enabled = lookup(var.versioning, each.key, false)
enabled = var.versioning
}
labels = merge(var.labels, {
location = lower(var.location)
name = lower(each.key)
name = lower(var.name)
storage_class = lower(var.storage_class)
})
dynamic encryption {
for_each = local.kms_keys[each.key] == null ? [] : [""]
for_each = var.encryption_key == null ? [] : [""]
content {
default_kms_key_name = local.kms_keys[each.key]
default_kms_key_name = var.encryption_key
}
}
dynamic retention_policy {
for_each = local.retention_policy[each.key] == null ? [] : [""]
for_each = var.retention_policy == null ? [] : [""]
content {
retention_period = local.retention_policy[each.key]["retention_period"]
is_locked = local.retention_policy[each.key]["is_locked"]
retention_period = var.retention_policy.retention_period
is_locked = var.retention_policy.is_locked
}
}
dynamic logging {
for_each = local.logging_config[each.key] == null ? [] : [""]
for_each = var.logging_config == null ? [] : [""]
content {
log_bucket = local.logging_config[each.key]["log_bucket"]
log_object_prefix = local.logging_config[each.key]["log_object_prefix"]
log_bucket = var.logging_config.log_bucket
log_object_prefix = var.logging_config.log_object_prefix
}
}
}
resource "google_storage_bucket_iam_binding" "bindings" {
for_each = local.iam_keypairs
bucket = google_storage_bucket.buckets[each.value.name].name
role = each.value.role
members = lookup(
lookup(local.iam_members, each.value.name, {}), each.value.role, []
)
for_each = var.iam_members
bucket = google_storage_bucket.bucket.name
role = each.key
members = each.value
}

47
modules/gcs/outputs.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2018 Google LLC
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,49 +15,16 @@
*/
output "bucket" {
description = "Bucket resource (for single use)."
value = local.has_buckets ? local.buckets[0] : null
description = "Bucket resource."
value = google_storage_bucket.bucket
}
output "name" {
description = "Bucket name (for single use)."
value = local.has_buckets ? local.buckets[0].name : null
description = "Bucket name."
value = google_storage_bucket.bucket.name
}
output "url" {
description = "Bucket URL (for single use)."
value = local.has_buckets ? local.buckets[0].url : null
}
output "buckets" {
description = "Bucket resources."
value = local.buckets
}
output "names" {
description = "Bucket names."
value = (
local.has_buckets
? zipmap(var.names, [for b in local.buckets : lookup(b, "name", null)])
: {}
)
}
output "urls" {
description = "Bucket URLs."
value = (
local.has_buckets
? zipmap(var.names, [for b in local.buckets : b.url])
: {}
)
}
output "names_list" {
description = "List of bucket names."
value = [for b in local.buckets : b.name]
}
output "urls_list" {
description = "List of bucket URLs."
value = [for b in local.buckets : b.name]
description = "Bucket URL."
value = google_storage_bucket.bucket.url
}

58
modules/gcs/variables.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2018 Google LLC
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,33 +15,27 @@
*/
variable "uniform_bucket_level_access" {
description = "Optional map to allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API)."
type = map(bool)
default = {}
description = "Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API)."
type = bool
default = true
}
variable "force_destroy" {
description = "Optional map to set force destroy keyed by name, defaults to false."
type = map(bool)
default = {}
type = bool
default = false
}
variable "iam_members" {
description = "IAM members keyed by bucket name and role."
type = map(map(list(string)))
type = map(set(string))
default = {}
}
variable "iam_roles" {
description = "IAM roles keyed by bucket name."
type = map(list(string))
default = {}
}
variable "encryption_keys" {
description = "Per-bucket KMS keys that will be used for encryption."
type = map(string)
default = {}
variable "encryption_key" {
description = "KMS key that will be used for encryption."
type = string
default = null
}
variable "labels" {
@@ -57,17 +51,17 @@ variable "location" {
}
variable "logging_config" {
description = "Per-bucket logging."
type = map(object({
description = "Bucket logging configuration."
type = object({
log_bucket = string
log_object_prefix = string
}))
default = {}
})
default = null
}
variable "names" {
description = "Bucket name suffixes."
type = list(string)
variable "name" {
description = "Bucket name suffix."
type = string
}
variable "prefix" {
@@ -81,13 +75,13 @@ variable "project_id" {
type = string
}
variable "retention_policies" {
description = "Per-bucket retention policy."
type = map(object({
variable "retention_policy" {
description = "Bucket retention policy."
type = object({
retention_period = number
is_locked = bool
}))
default = {}
})
default = null
}
variable "storage_class" {
@@ -97,7 +91,7 @@ variable "storage_class" {
}
variable "versioning" {
description = "Optional map to set versioning keyed by name, defaults to false."
type = map(bool)
default = {}
description = "Enable versioning, defaults to false."
type = bool
default = false
}