Skip to content

sr-ghe-org/terraform-gcp-gcs-new

BranchesTags

Repository files navigation

Google Cloud Storage (GCS)

This Terraform module creates Google Cloud Storage (GCS) buckets, categorized as PCI compliant and Non-PCI compliant, leveraging the terraform-google-modules/cloud-storage/google module.

Variables

Mandatory Variables

  • project_id: The GCP project ID where GCS bucket will be created.
  • bucket_name_prefix: Prefix for the GCS bucket names.
  • bucket_type: PCI bucket or Non-PCI bucket ("pci" or "non-pci").
  • location: Google Cloud region for the bucket (e.g., "northamerica-northeast1"). For multi-region buckets (e.g., "us,ca").
  • internal_encryption_config or kms_key_names: Configuration for Customer-Managed Encryption Keys (CMEK). You must provide one of these.

Optional Variables

  • project_number: The GCP project number where the KMS service account exists. Required if using kms_key_names.
  • custom_placement_config: Configuration for dual-region buckets.
  • iam_members: List of IAM members to grant permissions on the bucket.
  • versioning: Enables versioning for the bucket. Defaults to false.
  • labels: Labels to apply to the bucket. Defaults to bucket_type = "pci" or bucket_type = "non-pci".
  • storage_class: The storage class for the bucket. Defaults to STANDARD.
  • autoclass: Enables Autoclass for the bucket. Defaults to false.
  • retention_policy: Configuration for data retention policy.
  • soft_delete_policy: Configuration for soft delete policy.
  • lifecycle_rules: List of lifecycle rules.
  • force_destroy: Allows deletion of non-empty buckets. Defaults to false.
  • kms_key_names: Map of region names to CMEK key names. The keys must already exist. Required if using CMEK and not using internal_encryption_config. Defaults to ""
  • internal_encryption_config : Creation of an internal Google Cloud Key Management Service (KMS) Key for use as Customer-managed encryption key (CMEK).Defaults to {}

Table of Contents

Overview

This module simplifies the creation and management of GCS buckets, distinguishing between PCI and Non-PCI compliant buckets. It utilizes submodules for managing each type of bucket, allowing for specific configurations. It aims to promote security best practices, including CMEK encryption, data retention policies.

Key Principle: Some parameters are enforced within the module for security and compliance reasons. Other parameters are passed through from the user, allowing for flexibility and customization. The inputs are clearly marked below to indicate which are enforced and which are user-passed.

Example Input

For complete and working examples, please see the examples folder within this module's repository.

  #
  #  REQUIRED VARIABLES
  #
  # TODO: update "bucket_name_prefix" value
  bucket_name_prefix  = null
  # TODO: update "bucket_type" value
  bucket_type  = null
  # TODO: update "location" value
  location  = null
  # TODO: update "project_id" value
  project_id  = null
  #
  #  OPTIONAL VARIABLES
  #
  autoclass  = false
  bucket_policy_only  = true
  custom_placement_config  = null
  force_destroy  = false
  iam_members  = []
  internal_encryption_config  = {}
  kms_key_names  = ""
  labels  = null
  lifecycle_rules  = []
  project_number  = null
  public_access_prevention  = "enforced"
  retention_policy  = null
  soft_delete_policy  = {}
  storage_class  = "STANDARD"
  versioning  = false

Encryption Configuration (Choose ONE of the following methods)

  • You MUST provide either 'kms_key_names' OR 'internal_encryption_config' to enable CMEK.
  • If 'kms_key_names' is passed - then also pass the value of 'project_number'

Requirements

Name Version
terraform >= 0.13
google >= 5.43.0

Inputs

Name Description Type Default Required
autoclass While set to true, autoclass is enabled for this bucket. bool false no
bucket_name_prefix Prefix for the GCS bucket names string n/a yes
bucket_policy_only Enables Bucket Policy Only access to a bucket. bool true no
bucket_type PCI bucket or Non-PCI bucket string n/a yes
custom_placement_config Configuration of the bucket's custom location in a dual-region bucket setup. If the bucket is designated a single or multi-region, the variable are null. 
object({
    data_locations = list(string)
  })
 null no
force_destroy When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. bool false no
iam_members The list of IAM members to grant permissions on the bucket. 
list(object({
    role   = string
    member = string
  }))
 [] no
internal_encryption_config Configuration for the creation of an internal Google Cloud Key Management Service (KMS) Key for use as Customer-managed encryption key (CMEK) for the GCS Bucket
instead of creating one in advance and providing the key in the variable encryption.default_kms_key_name.
create_encryption_key: If true a Google Cloud Key Management Service (KMS) KeyRing and a Key will be created
prevent_destroy: Set the prevent_destroy lifecycle attribute on keys.
key_destroy_scheduled_duration: Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
key_rotation_period: Generate a new key every time this period passes.		 
object({
    create_encryption_key          = optional(bool, false)
    prevent_destroy                = optional(bool, false)
    key_destroy_scheduled_duration = optional(string, null)
    key_rotation_period            = optional(string, "7776000s")
  })
 {} no
kms_key_names Map of region names to CMEK key names. The CMEK keys must already exist in the corresponding regions. string "" no
labels A set of key/value label pairs to assign to the bucket. map(string) null no
lifecycle_rules The bucket's Lifecycle Rules configuration. 
list(object({
    # Object with keys:
    # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
    # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
    action = any

    # Object with keys:
    # - age - (Optional) Minimum age of an object in days to satisfy this condition.
    # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
    # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
    # - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
    # - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.
    # - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition
    # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
    condition = any
  }))
 [] no
location List of regions for Non-PCI buckets string n/a yes
project_id The GCP project ID where GCS bucket will be created string n/a yes
project_number The GCP project number where GCS Service account exists string null no
public_access_prevention Prevents public access to a bucket. Acceptable values are inherited or enforced. If inherited, the bucket uses public access prevention, only if the bucket is subject to the public access prevention organization policy constraint. string "enforced" no
retention_policy Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. 
object({
    is_locked        = bool
    retention_period = number
  })
 null no
soft_delete_policy Soft delete policies to apply. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#nested_soft_delete_policy 
object({
    retention_duration_seconds = optional(number, 604800)
  })
 {} no
storage_class The Storage Class of the new bucket. string "STANDARD" no
versioning While set to true, versioning is fully enabled for this bucket. bool false no

Outputs

Name Description
gcs_bucket_names List of created GCS bucket names.
gcs_bucket_urls List of created GCS bucket URLs.

Modules

Name Source Version
non_pci_gcs_buckets ./modules/gcs-buckets-non-pci n/a
pci_gcs_buckets ./modules/gcs-buckets-pci n/a

Resources

No resources.

About

Google Cloud GCS Storage Module

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages