6941313c7d
* factories refactor doc * Adds file schema and filesystem organization * Update 20231106-factories.md * move factories out of blueprints and create new factories README * align factory in billing-account module * align factory in dataplex-datascan module * align factory in billing-account module * align factory in net-firewall-policy module * align factory in dns-response-policy module * align factory in net-vpc-firewall module * align factory in net-vpc module * align factory variable names in FAST * remove decentralized firewall blueprint * bump terraform version * bump module versions * update top-level READMEs * move project factory to modules * fix variable names and tests * tfdoc * remove changelog link * add project factory to top-level README * fix cludrun eventarc diff * fix README * fix cludrun eventarc diff --------- Co-authored-by: Simone Ruffilli <sruffilli@google.com>
Google Cloud Storage Module
Example
module "bucket" {
source = "./fabric/modules/gcs"
project_id = var.project_id
prefix = var.prefix
name = "my-bucket"
versioning = true
labels = {
cost-center = "devops"
}
}
# tftest modules=1 resources=1 inventory=simple.yaml e2e
Example with Cloud KMS
module "project" {
source = "./fabric/modules/project"
name = var.project_id
project_create = false
}
module "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
keyring = {
location = "europe" # location of the KMS must match location of the bucket
name = "test"
}
keys = {
bucket_key = {
iam_bindings = {
bucket_key_iam = {
members = ["serviceAccount:${module.project.service_accounts.robots.storage}"]
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}
}
}
}
}
module "bucket" {
source = "./fabric/modules/gcs"
project_id = var.project_id
prefix = var.prefix
name = "my-bucket"
encryption_key = module.kms.keys.bucket_key.id
location = "EU"
}
# tftest modules=3 skip e2e
Example with retention policy and logging
module "bucket" {
source = "./fabric/modules/gcs"
project_id = var.project_id
prefix = var.prefix
name = "my-bucket"
retention_policy = {
retention_period = 100
is_locked = true
}
logging_config = {
log_bucket = "log-bucket"
log_object_prefix = null
}
}
# tftest modules=1 resources=1 inventory=retention-logging.yaml
Example with lifecycle rule
module "bucket" {
source = "./fabric/modules/gcs"
project_id = var.project_id
prefix = var.prefix
name = "my-bucket"
lifecycle_rules = {
lr-0 = {
action = {
type = "SetStorageClass"
storage_class = "STANDARD"
}
condition = {
age = 30
}
}
}
}
# tftest modules=1 resources=1 inventory=lifecycle.yaml e2e
Minimal example with GCS notifications
module "project" {
source = "./fabric/modules/project"
name = var.project_id
project_create = false
}
module "bucket-gcs-notification" {
source = "./fabric/modules/gcs"
project_id = var.project_id
prefix = var.prefix
name = "my-bucket"
notification_config = {
enabled = true
payload_format = "JSON_API_V1"
sa_email = module.project.service_accounts.robots.storage
topic_name = "gcs-notification-topic"
event_types = ["OBJECT_FINALIZE"]
custom_attributes = {}
}
}
# tftest skip e2e
Example with object upload
module "bucket" {
source = "./fabric/modules/gcs"
project_id = var.project_id
prefix = var.prefix
name = "my-bucket"
objects_to_upload = {
sample-data = {
name = "example-file.csv"
source = "assets/example-file.csv"
content_type = "text/csv"
}
}
}
# tftest modules=1 resources=2 inventory=object-upload.yaml e2e
Examples of IAM
module "bucket" {
source = "./fabric/modules/gcs"
project_id = var.project_id
prefix = var.prefix
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:${var.group_email}"]
}
}
# tftest modules=1 resources=2 inventory=iam-authoritative.yaml e2e
module "bucket" {
source = "./fabric/modules/gcs"
project_id = var.project_id
prefix = var.prefix
name = "my-bucket"
iam_bindings = {
storage-admin-with-delegated_roles = {
role = "roles/storage.admin"
members = ["group:${var.group_email}"]
condition = {
title = "delegated-role-grants"
expression = format(
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
join(",", formatlist("'%s'",
[
"roles/storage.objectAdmin",
"roles/storage.objectViewer",
]
))
)
}
}
}
}
# tftest modules=1 resources=2 inventory=iam-bindings.yaml e2e
module "bucket" {
source = "./fabric/modules/gcs"
project_id = var.project_id
prefix = var.prefix
name = "my-bucket"
iam_bindings_additive = {
storage-admin-with-delegated_roles = {
role = "roles/storage.admin"
member = "group:${var.group_email}"
condition = {
title = "delegated-role-grants"
expression = format(
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
join(",", formatlist("'%s'",
[
"roles/storage.objectAdmin",
"roles/storage.objectViewer",
]
))
)
}
}
}
}
# tftest modules=1 resources=2 inventory=iam-bindings-additive.yaml e2e
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| name | Bucket name suffix. | string |
✓ | |
| project_id | Bucket project id. | string |
✓ | |
| autoclass | Enable autoclass to automatically transition objects to appropriate storage classes based on their access pattern. If set to true, storage_class must be set to STANDARD. Defaults to false. | bool |
false |
|
| cors | CORS configuration for the bucket. Defaults to null. | object({…}) |
null |
|
| custom_placement_config | The bucket's custom location configuration, which specifies the individual regions that comprise a dual-region bucket. If the bucket is designated as REGIONAL or MULTI_REGIONAL, the parameters are empty. | list(string) |
null |
|
| default_event_based_hold | Enable event based hold to new objects added to specific bucket, defaults to false. | bool |
null |
|
| encryption_key | KMS key that will be used for encryption. | string |
null |
|
| force_destroy | Optional map to set force destroy keyed by name, defaults to false. | bool |
false |
|
| iam | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_bindings | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_bindings_additive | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) |
{} |
|
| labels | Labels to be attached to all buckets. | map(string) |
{} |
|
| lifecycle_rules | Bucket lifecycle rule. | map(object({…})) |
{} |
|
| location | Bucket location. | string |
"EU" |
|
| logging_config | Bucket logging configuration. | object({…}) |
null |
|
| notification_config | GCS Notification configuration. | object({…}) |
null |
|
| objects_to_upload | Objects to be uploaded to bucket. | map(object({…})) |
{} |
|
| prefix | Optional prefix used to generate the bucket name. | string |
null |
|
| public_access_prevention | Prevents public access to a bucket. Acceptable values are inherited or enforced. If inherited, the bucket uses public access prevention, only if the bucket is subject to the public access prevention organization policy constraint. | string |
null |
|
| requester_pays | Enables Requester Pays on a storage bucket. | bool |
null |
|
| retention_policy | Bucket retention policy. | object({…}) |
null |
|
| storage_class | Bucket storage class. | string |
"MULTI_REGIONAL" |
|
| uniform_bucket_level_access | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | bool |
true |
|
| versioning | Enable versioning, defaults to false. | bool |
false |
|
| website | Bucket website. | object({…}) |
null |
Outputs
| name | description | sensitive |
|---|---|---|
| bucket | Bucket resource. | |
| id | Fully qualified bucket id. | |
| name | Bucket name. | |
| notification | GCS Notification self link. | |
| objects | Objects in GCS bucket. | |
| topic | Topic ID used by GCS. | |
| url | Bucket URL. |