725f7effce
* preliminary support for wif in stage 0 * IAM wif role * IAM wif role TODO * add support for external SA IAM to SA module * add name output to SA module * separate cicd SA * tfdoc * GITLAB principal (untested) * make GCS name output static * outputs bucket * fix stage 1 test * tweak outputs * tfdoc * move wif_pool to automation variable * add support for top-level and repository providers * add missing boilerplate * fix branchless principal * initial workflow * symlink provider template in stages * remove service accounts from stage 0 cicd tfvars * add cicd interface variable to resman stage * fix cicd variable in resman stage * better condition on outputs_location * fix last change * change outputs_location type * revert outputs_location change * split outputs in stage 0 * update ci/cd temporary notes * rename additive IAM resource in SA module * split outputs in stage 1 * remove unused locals * fix stage 1 tests * tfdoc * Upload action files to outputs_bucket * Fix tests and README * rename template, streamline outputs * local templates and gcs output for all stage 2 * add workflows to local output files * Use lowercase WIF providers everywhere * Bring back suffix for workflow files * Remove unused files * Update READMEs * preliminary CI/CD implementation for stage 1 * fix stage 1 * stage 1 cicd * tfdoc * fix tests * readme and links for cicd and wif * refactor wif providers * refactor cicd for stage 1 * fix stage 1 * wif org policies * split identity provider configuration from cicd * add type attribute to cicd repositories * valid cicd repositories have a workflow template * refactor stage 01 * fix stage 01 tests * minimal CI/CD documentation * better check_links error reporting * fix links * Added Gitlab specific configurations Set the default issuer_uri for Gitlab. Added allowed audiences to OIDC configuration. * Fixed TF formatting in identity providers. * Changing identity provider audience to null Changing identity provider audience to default to null. * add instructions for renaming workflows * address Julio's comments Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: alexmeissner <alexmeissner@google.com>
Google Cloud Storage Module
Example
module "bucket" {
source = "./modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
}
# tftest modules=1 resources=2
Example with Cloud KMS
module "bucket" {
source = "./modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
encryption_key = "my-encryption-key"
}
# tftest modules=1 resources=2
Example with retention policy
module "bucket" {
source = "./modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
retention_policy = {
retention_period = 100
is_locked = true
}
logging_config = {
log_bucket = var.bucket
log_object_prefix = null
}
}
# tftest modules=1 resources=2
Example with lifecycle rule
module "bucket" {
source = "./modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
lifecycle_rule = {
action = {
type = "SetStorageClass"
storage_class = "STANDARD"
}
condition = {
age = 30
created_before = null
with_state = null
matches_storage_class = null
num_newer_versions = null
custom_time_before = null
days_since_custom_time = null
days_since_noncurrent_time = null
noncurrent_time_before = null
}
}
}
# tftest modules=1 resources=2
Minimal example with GCS notifications
module "bucket-gcs-notification" {
source = "./modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
notification_config = {
enabled = true
payload_format = "JSON_API_V1"
sa_email = "service-<project-number>@gs-project-accounts.iam.gserviceaccount.com" # GCS SA email must be passed or fetched from projects module.
topic_name = "gcs-notification-topic"
event_types = ["OBJECT_FINALIZE"]
custom_attributes = {}
}
}
# tftest modules=1 resources=4
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| name | Bucket name suffix. | string |
✓ | |
| project_id | Bucket project id. | string |
✓ | |
| cors | CORS configuration for the bucket. Defaults to null. | object({…}) |
null |
|
| encryption_key | KMS key that will be used for encryption. | string |
null |
|
| force_destroy | Optional map to set force destroy keyed by name, defaults to false. | bool |
false |
|
| iam | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| labels | Labels to be attached to all buckets. | map(string) |
{} |
|
| lifecycle_rule | Bucket lifecycle rule. | object({…}) |
null |
|
| location | Bucket location. | string |
"EU" |
|
| logging_config | Bucket logging configuration. | object({…}) |
null |
|
| notification_config | GCS Notification configuration. | object({…}) |
null |
|
| prefix | Prefix used to generate the bucket name. | string |
null |
|
| retention_policy | Bucket retention policy. | object({…}) |
null |
|
| storage_class | Bucket storage class. | string |
"MULTI_REGIONAL" |
|
| uniform_bucket_level_access | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | bool |
true |
|
| versioning | Enable versioning, defaults to false. | bool |
false |
|
| website | Bucket website. | object({…}) |
null |
Outputs
| name | description | sensitive |
|---|---|---|
| bucket | Bucket resource. | |
| name | Bucket name. | |
| notification | GCS Notification self link. | |
| topic | Topic ID used by GCS. | |
| url | Bucket URL. |