simple_bucket

Terraform Google Cloud Storage Module

This module makes it easy to create a GCS bucket, and assign basic permissions on it to arbitrary users.

The resources/services/activations/deletions that this module will create/trigger are:

• One GCS bucket
• Zero or more IAM bindings for that bucket

Compatibility

This module is meant for use with Terraform 0.13+.

Usage

Basic usage of this module is as follows:

module "bucket" {
  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
  version = "~> 12.3"

  name       = "example-bucket"
  project_id = "example-project"
  location   = "us-east1"
  iam_members = [{
    role   = "roles/storage.objectViewer"
    member = "user:example-user@example.com"
  }]
}

Functional examples are included in the examples directory.

Inputs

Name	Description	Type	Default	Required
autoclass	While set to true, autoclass is enabled for this bucket.	bool	false	no
bucket_policy_only	Enables Bucket Policy Only access to a bucket.	bool	true	no
cors	Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors.	list(object({ origin = optional(list(string)) method = optional(list(string)) response_header = optional(list(string)) max_age_seconds = optional(number) }))	[]	no
custom_placement_config	Configuration of the bucket's custom location in a dual-region bucket setup. If the bucket is designated a single or multi-region, the variable are null.	object({ data_locations = list(string) })	null	no
encryption	A Cloud KMS key that will be used to encrypt objects inserted into this bucket. The key name should follow the format of projects/<project-name>/locations/<location-name>/keyRings/<keyring-name>/cryptoKeys/<key-name>. To use a Cloud KMS key automatically created by this module use the internal_encryption_config input variable.	object({ default_kms_key_name = string })	null	no
force_destroy	When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects.	bool	false	no
hierarchical_namespace	When set to true, hierarchical namespace is enable for this bucket.	bool	false	no
iam_members	The list of IAM members to grant permissions on the bucket.	list(object({ role = string member = string }))	[]	no
internal_encryption_config	Configuration for the creation of an internal Google Cloud Key Management Service (KMS) Key for use as Customer-managed encryption key (CMEK) for the GCS Bucket instead of creating one in advance and providing the key in the variable encryption.default_kms_key_name. create_encryption_key: If true a Google Cloud Key Management Service (KMS) KeyRing and a Key will be created prevent_destroy: Set the prevent_destroy lifecycle attribute on keys. key_destroy_scheduled_duration: Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. key_rotation_period: Generate a new key every time this period passes.	object({ create_encryption_key = optional(bool, false) prevent_destroy = optional(bool, false) key_destroy_scheduled_duration = optional(string, null) key_rotation_period = optional(string, "7776000s") })	{}	no
ip_filter	The IP filter configuration for the bucket. Restricts access based on source IP addresses. - mode: "Enabled" or "Disabled" - public_network_source: (Optional) Configure allowed public internet IP ranges - vpc_network_sources: (Optional) Configure allowed VPC networks and IP ranges - allow_cross_org_vpcs: (Optional) Allow VPC networks from different organizations - allow_all_service_agent_access: (Optional) Allow Google Cloud service agents to access the bucket regardless of IP filtering Both public_network_source and vpc_network_sources can be configured together. Example: ip_filter = { mode = "Enabled" public_network_source = { allowed_ip_cidr_ranges = ["203.0.113.0/24"] } vpc_network_sources = [{ network = "projects/my-project/global/networks/my-vpc" allowed_ip_cidr_ranges = ["10.0.0.0/8"] }] allow_cross_org_vpcs = true allow_all_service_agent_access = true } Limits: Max 200 IP CIDR blocks, 25 VPC networks. May block some Google Cloud services. See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#ip_filter-1	object({ mode = string public_network_source = optional(object({ allowed_ip_cidr_ranges = list(string) })) vpc_network_sources = optional(list(object({ network = string allowed_ip_cidr_ranges = list(string) }))) allow_cross_org_vpcs = optional(bool) allow_all_service_agent_access = optional(bool) })	null	no
labels	A set of key/value label pairs to assign to the bucket.	map(string)	null	no
lifecycle_rules	The bucket's Lifecycle Rules configuration.	list(object({ # Object with keys: # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass. # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule. action = object({ type = string storage_class = optional(string) }) # Object with keys: # - age - (Optional) Minimum age of an object in days to satisfy this condition. # - send_age_if_zero - (Optional) While set true, num_newer_versions value will be sent in the request even for zero value of the field. # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition. # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY". # - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY. # - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition. # - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition. # - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition. # - days_since_custom_time - (Optional) Days since the date set in the customTime metadata for the object. # - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object. # - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent. condition = object({ age = optional(number) send_age_if_zero = optional(bool) created_before = optional(string) with_state = optional(string) matches_storage_class = optional(string) matches_prefix = optional(string) matches_suffix = optional(string) num_newer_versions = optional(number) custom_time_before = optional(string) days_since_custom_time = optional(number) days_since_noncurrent_time = optional(number) noncurrent_time_before = optional(string) }) }))	[]	no
location	The location of the bucket. See https://cloud.google.com/storage/docs/locations.	string	n/a	yes
log_bucket	The bucket that will receive log objects.	string	null	no
log_object_prefix	The object prefix for log objects. If it's not provided, by default GCS sets this to this bucket's name	string	null	no
name	The name of the bucket.	string	n/a	yes
project_id	The ID of the project to create the bucket in.	string	n/a	yes
public_access_prevention	Prevents public access to a bucket. Acceptable values are inherited or enforced. If inherited, the bucket uses public access prevention, only if the bucket is subject to the public access prevention organization policy constraint.	string	"inherited"	no
retention_policy	Configuration of the bucket's data retention policy for how long objects in the bucket should be retained.	object({ is_locked = optional(bool) retention_period = number })	null	no
soft_delete_policy	Soft delete policies to apply. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#nested_soft_delete_policy	object({ retention_duration_seconds = optional(number) })	{}	no
storage_class	The Storage Class of the new bucket.	string	null	no
versioning	While set to true, versioning is fully enabled for this bucket.	bool	true	no
website	Map of website values. Supported attributes: main_page_suffix, not_found_page	object({ main_page_suffix = optional(string) not_found_page = optional(string) })	{}	no

Outputs

Name	Description
apphub_service_uri	URI in CAIS style to be used by Apphub.
bucket	The created storage bucket
internal_kms_configuration	The intenal KMS Resource.
name	Bucket name.
url	Bucket URL.

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

• Terraform >= 0.13.0
• Terraform Provider for GCP plugin >= v4.42

Service Account

User or service account credentials with the following roles must be used to provision the resources of this module:

• Storage Admin: roles/storage.admin

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

• Google Cloud Storage JSON API: storage-api.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.