Google Cloud Storage Bucket
This page shows how to write Terraform for Cloud Storage Bucket and write them securely.
google_storage_bucket (Terraform)
The Bucket in Cloud Storage can be configured in Terraform with the resource name google_storage_bucket
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_storage_bucket" "quadrennium" {
name = "quadrennium"
location = "EU"
storage_class = "MULTI_REGIONAL"
}
resource "google_storage_bucket" "gitlab-backups" {
name = format("%s-gitlab-backups", var.project_id)
force_destroy = true
location = var.region
}
Security Best Practices for google_storage_bucket
There is 1 setting in google_storage_bucket that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure uniform bucket-level access of your GCS bucket is enabled
It is better to enable uniform bucket-level access of the GCS bucket. Uniform bucket-level access unifies and simplifies how you grant access to resources in the bucket.
Parameters
-
bucket_policy_only
optional computed - bool
Enables Bucket Policy Only access to a bucket.
-
default_event_based_hold
optional - bool -
force_destroy
optional - bool
When deleting a bucket, this boolean option will delete all contained objects. If you try to delete a bucket that contains objects, Terraform will fail that run.
A set of key/value label pairs to assign to the bucket.
-
location
optional - string
The Google Cloud Storage location
-
name
required - string
The name of the bucket.
-
project
optional computed - string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-
requester_pays
optional - bool
Enables Requester Pays on a storage bucket.
-
self_link
optional computed - string
The URI of the created resource.
-
storage_class
optional - string
The Storage Class of the new bucket. Supported values include: STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE.
-
uniform_bucket_level_access
optional computed - bool
Enables uniform bucket-level access on a bucket.
-
url
optional computed - string
The base URL of the bucket, in the format gs://<bucket-name>.
-
cors
list block-
max_age_seconds
optional - number
The value, in seconds, to return in the Access-Control-Max-Age header used in preflight responses.
-
method
optional - list of string
The list of HTTP methods on which to include CORS response headers, (GET, OPTIONS, POST, etc) Note: "*" is permitted in the list of methods, and means "any method".
-
origin
optional - list of string
The list of Origins eligible to receive CORS response headers. Note: "*" is permitted in the list of origins, and means "any Origin".
-
response_header
optional - list of string
The list of HTTP headers other than the simple response headers to give permission for the user-agent to share across domains.
-
-
encryption
list block-
default_kms_key_name
required - string
A Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified. You must pay attention to whether the crypto key is available in the location that this bucket is created in. See the docs for more details.
-
-
lifecycle_rule
list block-
action
set block-
storage_class
optional - string
The target Storage Class of objects affected by this Lifecycle Rule. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE.
-
type
required - string
The type of the action of this Lifecycle Rule. Supported values include: Delete and SetStorageClass.
-
-
condition
set block-
age
optional - number
Minimum age of an object in days to satisfy this condition.
-
created_before
optional - string
Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
-
custom_time_before
optional - string
Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
-
days_since_custom_time
optional - number
Number of days elapsed since the user-specified timestamp set on an object.
-
days_since_noncurrent_time
optional - number
Number of days elapsed since the noncurrent timestamp of an object. This condition is relevant only for versioned objects.
-
matches_storage_class
optional - list of string
Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
-
noncurrent_time_before
optional - string
Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
-
num_newer_versions
optional - number
Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
-
with_state
optional computed - string
Match to live and/or archived objects. Unversioned buckets have only live objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
-
-
-
logging
list block-
log_bucket
required - string
The bucket that will receive log objects.
-
log_object_prefix
optional computed - string
The object prefix for log objects. If it's not provided, by default Google Cloud Storage sets this to this bucket's name.
-
-
retention_policy
list block-
is_locked
optional - bool
If set to true, the bucket will be locked and permanently restrict edits to the bucket's retention policy. Caution: Locking a bucket is an irreversible action.
-
retention_period
required - number
The period of time, in seconds, that objects in the bucket must be retained and cannot be deleted, overwritten, or archived. The value must be less than 3,155,760,000 seconds.
-
-
versioning
list block-
enabled
required - bool
While set to true, versioning is fully enabled for this bucket.
-
-
website
list block-
main_page_suffix
optional - string
Behaves as the bucket's directory index where missing objects are treated as potential directories.
-
not_found_page
optional - string
The custom object to return when a requested resource is not found.
-
Explanation in Terraform Registry
Creates a new bucket in Google cloud storage service (GCS). Once a bucket has been created, its location can't be changed. For more information see the official documentation and API. Note: If the project id is not set on the resource or in the provider block it will be dynamically determined which will require enabling the compute api.
Frequently asked questions
What is Google Cloud Storage Bucket?
Google Cloud Storage Bucket is a resource for Cloud Storage of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud Storage Bucket?
For Terraform, the upodroid/conflux-k8 and loganrobertclemons/lrc-portfolio source code examples are useful. See the Terraform Example section for further details.