terraform-google-cloud-storage
terraform-google-cloud-storage copied to clipboard
Creates one or more Cloud Storage buckets and assigns basic permissions on them to arbitrary users
Terraform Google Cloud Storage Module
This module makes it easy to create one or more GCS buckets, and assign basic permissions on them to arbitrary users.
The resources/services/activations/deletions that this module will create/trigger are:
- One or more GCS buckets
- Zero or more IAM bindings for those buckets
If you only wish to create a single bucket, consider using the simple bucket submodule instead.
Compatibility
This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v1.7.1.
Usage
Basic usage of this module is as follows:
module "gcs_buckets" {
source = "terraform-google-modules/cloud-storage/google"
version = "~> 2.2"
project_id = "<PROJECT ID>"
names = ["first", "second"]
prefix = "my-unique-prefix"
set_admin_roles = true
admins = ["group:[email protected]"]
versioning = {
first = true
}
bucket_admins = {
second = "user:[email protected],[email protected]"
}
}
Functional examples are included in the examples directory.
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
admins | IAM-style members who will be granted roles/storage.objectAdmin on all buckets. | list(string) |
[] |
no |
bucket_admins | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket admins. | map(string) |
{} |
no |
bucket_creators | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket creators. | map(string) |
{} |
no |
bucket_hmac_key_admins | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket HMAC Key admins. | map(string) |
{} |
no |
bucket_policy_only | Disable ad-hoc ACLs on specified buckets. Defaults to true. Map of lowercase unprefixed name => boolean | map(bool) |
{} |
no |
bucket_storage_admins | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket storage admins. | map(string) |
{} |
no |
bucket_viewers | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket viewers. | map(string) |
{} |
no |
cors | Set of maps of mixed type attributes for CORS values. See appropriate attribute types here: https://www.terraform.io/docs/providers/google/r/storage_bucket.html#cors | set(any) |
[] |
no |
creators | IAM-style members who will be granted roles/storage.objectCreators on all buckets. | list(string) |
[] |
no |
default_event_based_hold | Enable event based hold to new objects added to specific bucket. Defaults to false. Map of lowercase unprefixed name => boolean | map(bool) |
{} |
no |
encryption_key_names | Optional map of lowercase unprefixed name => string, empty strings are ignored. | map(string) |
{} |
no |
folders | Map of lowercase unprefixed name => list of top level folder objects. | map(list(string)) |
{} |
no |
force_destroy | Optional map of lowercase unprefixed name => boolean, defaults to false. | map(bool) |
{} |
no |
hmac_key_admins | IAM-style members who will be granted roles/storage.hmacKeyAdmin on all buckets. | list(string) |
[] |
no |
labels | Labels to be attached to the buckets | map(string) |
{} |
no |
lifecycle_rules | List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches_storage_class should be a comma delimited string. | set(object({ |
[] |
no |
location | Bucket location. | string |
"EU" |
no |
logging | Map of lowercase unprefixed name => bucket logging config object. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#logging | any |
{} |
no |
names | Bucket name suffixes. | list(string) |
n/a | yes |
prefix | Prefix used to generate the bucket name. | string |
n/a | yes |
project_id | Bucket project id. | string |
n/a | yes |
randomize_suffix | Adds an identical, but randomized 4-character suffix to all bucket names | bool |
false |
no |
retention_policy | Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy | any |
{} |
no |
set_admin_roles | Grant roles/storage.objectAdmin role to admins and bucket_admins. | bool |
false |
no |
set_creator_roles | Grant roles/storage.objectCreator role to creators and bucket_creators. | bool |
false |
no |
set_hmac_key_admin_roles | Grant roles/storage.hmacKeyAdmin role to hmac_key_admins and bucket_hmac_key_admins. | bool |
false |
no |
set_storage_admin_roles | Grant roles/storage.admin role to storage_admins and bucket_storage_admins. | bool |
false |
no |
set_viewer_roles | Grant roles/storage.objectViewer role to viewers and bucket_viewers. | bool |
false |
no |
storage_admins | IAM-style members who will be granted roles/storage.admin on all buckets. | list(string) |
[] |
no |
storage_class | Bucket storage class. | string |
"STANDARD" |
no |
versioning | Optional map of lowercase unprefixed name => boolean, defaults to false. | map(bool) |
{} |
no |
viewers | IAM-style members who will be granted roles/storage.objectViewer on all buckets. | list(string) |
[] |
no |
website | Map of website values. Supported attributes: main_page_suffix, not_found_page | map(any) |
{} |
no |
Outputs
Name | Description |
---|---|
bucket | Bucket resource (for single use). |
buckets | Bucket resources as list. |
buckets_map | Bucket resources by name. |
name | Bucket name (for single use). |
names | Bucket names. |
names_list | List of bucket names. |
url | Bucket URL (for single use). |
urls | Bucket URLs. |
urls_list | List of bucket URLs. |
Requirements
These sections describe requirements for using this module.
Software
The following dependencies must be available:
-
Terraform >= 0.13.0
- For Terraform v0.11 see the Compatibility section above
- Terraform Provider for GCP plugin v3.0
Service Account
User or service account credentials with the following roles must be used to provision the resources of this module:
- Storage Admin:
roles/storage.admin
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.
APIs
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Storage JSON API:
storage-api.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Contributing
Refer to the contribution guidelines for information on contributing to this module.