diff --git a/modules/gcs/README.md b/modules/gcs/README.md
index 8a26958d6..993e0435f 100644
--- a/modules/gcs/README.md
+++ b/modules/gcs/README.md
@@ -196,12 +196,13 @@ module "bucket" {
| [notification_config](variables.tf#L169) | GCS Notification configuration. | object({…}) | | null |
| [objects_to_upload](variables.tf#L183) | Objects to be uploaded to bucket. | map(object({…})) | | {} |
| [prefix](variables.tf#L209) | Optional prefix used to generate the bucket name. | string | | null |
-| [requester_pays](variables.tf#L224) | Enables Requester Pays on a storage bucket. | bool | | null |
-| [retention_policy](variables.tf#L230) | Bucket retention policy. | object({…}) | | null |
-| [storage_class](variables.tf#L239) | Bucket storage class. | string | | "MULTI_REGIONAL" |
-| [uniform_bucket_level_access](variables.tf#L249) | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | bool | | true |
-| [versioning](variables.tf#L255) | Enable versioning, defaults to false. | bool | | false |
-| [website](variables.tf#L261) | Bucket website. | object({…}) | | null |
+| [public_access_prevention](variables.tf#L224) | Prevents public access to a bucket. Acceptable values are inherited or enforced. If inherited, the bucket uses public access prevention, only if the bucket is subject to the public access prevention organization policy constraint. | string | | null |
+| [requester_pays](variables.tf#L230) | Enables Requester Pays on a storage bucket. | bool | | null |
+| [retention_policy](variables.tf#L236) | Bucket retention policy. | object({…}) | | null |
+| [storage_class](variables.tf#L245) | Bucket storage class. | string | | "MULTI_REGIONAL" |
+| [uniform_bucket_level_access](variables.tf#L255) | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | bool | | true |
+| [versioning](variables.tf#L261) | Enable versioning, defaults to false. | bool | | false |
+| [website](variables.tf#L267) | Bucket website. | object({…}) | | null |
## Outputs
diff --git a/modules/gcs/main.tf b/modules/gcs/main.tf
index 1341e707c..c19c7912e 100644
--- a/modules/gcs/main.tf
+++ b/modules/gcs/main.tf
@@ -29,6 +29,7 @@ resource "google_storage_bucket" "bucket" {
labels = var.labels
default_event_based_hold = var.default_event_based_hold
requester_pays = var.requester_pays
+ public_access_prevention = var.public_access_prevention
versioning {
enabled = var.versioning
}
diff --git a/modules/gcs/variables.tf b/modules/gcs/variables.tf
index 350c74baf..de8a6abd8 100644
--- a/modules/gcs/variables.tf
+++ b/modules/gcs/variables.tf
@@ -221,6 +221,12 @@ variable "project_id" {
type = string
}
+variable "public_access_prevention" {
+ description = "Prevents public access to a bucket. Acceptable values are inherited or enforced. If inherited, the bucket uses public access prevention, only if the bucket is subject to the public access prevention organization policy constraint."
+ type = string
+ default = null
+}
+
variable "requester_pays" {
description = "Enables Requester Pays on a storage bucket."
type = bool