From daf3dc41e7e314676214fccec9bf5a14631df060 Mon Sep 17 00:00:00 2001
From: vanessabodard-voi <63779321+vanessabodard-voi@users.noreply.github.com>
Date: Tue, 1 Sep 2020 17:48:02 +0200
Subject: [PATCH] Add retention policy (#133)
---
CHANGELOG.md | 1 +
modules/gcs/README.md | 30 +++++++++++++++++++++++++++++-
modules/gcs/main.tf | 9 +++++++++
modules/gcs/variables.tf | 6 ++++++
4 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 946e81166..e13d944be 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file.
## [Unreleased]
- Fix GCS2BQ (issue: 128)
- make VPC creation optional in `net-vpc` module to allow managing a pre-existing VPC
+- add retention_policy in `gcs` module
## [3.2.0] - 2020-08-29
diff --git a/modules/gcs/README.md b/modules/gcs/README.md
index 839faadd7..1f31a40fd 100644
--- a/modules/gcs/README.md
+++ b/modules/gcs/README.md
@@ -45,12 +45,39 @@ module "buckets" {
iam_roles = {
bucket-two = ["roles/storage.admin"]
}
- kms_keys = {
+ encryption_keys = {
bucket-two = local.kms_key.self_link,
}
}
```
+### Example with retention policy
+
+```hcl
+module "buckets" {
+ source = "./modules/gcs"
+ project_id = "myproject"
+ prefix = "test"
+ names = ["bucket-one", "bucket-two"]
+ bucket_policy_only = {
+ bucket-one = false
+ }
+ iam_members = {
+ bucket-two = {
+ "roles/storage.admin" = ["group:storage@example.com"]
+ }
+ }
+ iam_roles = {
+ bucket-two = ["roles/storage.admin"]
+ }
+
+ retention_policies = {
+ bucket-one = { retention_period = 100 , is_locked = true}
+ bucket-two = { retention_period = 900 }
+ }
+}
+```
+
## Variables
@@ -68,6 +95,7 @@ module "buckets" {
| *prefix* | Prefix used to generate the bucket name. | string | | null |
| *storage_class* | Bucket storage class. | string | | MULTI_REGIONAL |
| *versioning* | Optional map to set versioning keyed by name, defaults to false. | map(bool) | | {} |
+| *retention_policies* | Optional map to set up retention policy keyed by bucket name. | map(map(string)) | | {} |
## Outputs
diff --git a/modules/gcs/main.tf b/modules/gcs/main.tf
index f345ed3bc..d2d8616a9 100644
--- a/modules/gcs/main.tf
+++ b/modules/gcs/main.tf
@@ -37,6 +37,7 @@ locals {
: join("-", [var.prefix, lower(var.location), ""])
)
kms_keys = { for name in var.names : name => lookup(var.encryption_keys, name, null) }
+ retention_policy = { for name in var.names : name => lookup(var.retention_policies, name, null) }
}
resource "google_storage_bucket" "buckets" {
@@ -63,6 +64,14 @@ resource "google_storage_bucket" "buckets" {
default_kms_key_name = local.kms_keys[each.key]
}
}
+
+ dynamic retention_policy {
+ for_each = local.retention_policy[each.key] == null ? [] : [""]
+ content {
+ retention_period = local.retention_policy[each.key]["retention_period"]
+ is_locked = lookup(local.retention_policy[each.key], "is_locked", false)
+ }
+ }
}
resource "google_storage_bucket_iam_binding" "bindings" {
diff --git a/modules/gcs/variables.tf b/modules/gcs/variables.tf
index cdc63eccd..c3e3360f2 100644
--- a/modules/gcs/variables.tf
+++ b/modules/gcs/variables.tf
@@ -83,3 +83,9 @@ variable "versioning" {
type = map(bool)
default = {}
}
+
+variable "retention_policies" {
+ description = "Per-bucket retention policy."
+ type = map(map(string))
+ default = {}
+}