Google Cloud Storage Bucket

google_storage_bucket (Terraform)

The Bucket in Cloud Storage can be configured in Terraform with the resource name google_storage_bucket. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

upodroid/conflux-k8

resource "google_storage_bucket" "quadrennium" {
  name = "quadrennium"
  location = "EU"
  storage_class = "MULTI_REGIONAL"
}

loganrobertclemons/lrc-portfolio

resource "google_storage_bucket" "gitlab-backups" {
  name          = format("%s-gitlab-backups", var.project_id)
  force_destroy = true
  location      = var.region
}

Security Best Practices for google_storage_bucket

There is 1 setting in google_storage_bucket that should be taken care of for security reasons. The following section explain an overview and example code.

Ensure uniform bucket-level access of your GCS bucket is enabled

It is better to enable uniform bucket-level access of the GCS bucket. Uniform bucket-level access unifies and simplifies how you grant access to resources in the bucket.

Parameters

• bucket_policy_only optional computed - bool

Enables Bucket Policy Only access to a bucket.

• default_event_based_hold optional - bool
• force_destroy optional - bool

When deleting a bucket, this boolean option will delete all contained objects. If you try to delete a bucket that contains objects, Terraform will fail that run.

• id optional computed - string
• labels optional - map from string to string

A set of key/value label pairs to assign to the bucket.

• location optional - string

The Google Cloud Storage location

• name required - string

The name of the bucket.

• project optional computed - string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

• requester_pays optional - bool

Enables Requester Pays on a storage bucket.

• self_link optional computed - string

The URI of the created resource.

• storage_class optional - string

The Storage Class of the new bucket. Supported values include: STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE.

• uniform_bucket_level_access optional computed - bool

Enables uniform bucket-level access on a bucket.

• url optional computed - string

The base URL of the bucket, in the format gs://<bucket-name>.

• cors list block
  • max_age_seconds optional - number

  The value, in seconds, to return in the Access-Control-Max-Age header used in preflight responses.

  • method optional - list of string

  The list of HTTP methods on which to include CORS response headers, (GET, OPTIONS, POST, etc) Note: "*" is permitted in the list of methods, and means "any method".

  • origin optional - list of string

  The list of Origins eligible to receive CORS response headers. Note: "*" is permitted in the list of origins, and means "any Origin".

  • response_header optional - list of string

  The list of HTTP headers other than the simple response headers to give permission for the user-agent to share across domains.

• encryption list block
  • default_kms_key_name required - string

  A Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified. You must pay attention to whether the crypto key is available in the location that this bucket is created in. See the docs for more details.

• lifecycle_rule list block
  • action set block
    • storage_class optional - string

    The target Storage Class of objects affected by this Lifecycle Rule. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE.

    • type required - string

    The type of the action of this Lifecycle Rule. Supported values include: Delete and SetStorageClass.

  • condition set block
    • age optional - number

    Minimum age of an object in days to satisfy this condition.

    • created_before optional - string

    Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.

    • custom_time_before optional - string

    Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.

    • days_since_custom_time optional - number

    Number of days elapsed since the user-specified timestamp set on an object.

    • days_since_noncurrent_time optional - number

    Number of days elapsed since the noncurrent timestamp of an object. This condition is relevant only for versioned objects.

    • matches_storage_class optional - list of string

    Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE, STANDARD, DURABLE_REDUCED_AVAILABILITY.

    • noncurrent_time_before optional - string

    Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.

    • num_newer_versions optional - number

    Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.

    • with_state optional computed - string

    Match to live and/or archived objects. Unversioned buckets have only live objects. Supported values include: "LIVE", "ARCHIVED", "ANY".

• logging list block
  • log_bucket required - string

  The bucket that will receive log objects.

  • log_object_prefix optional computed - string

  The object prefix for log objects. If it's not provided, by default Google Cloud Storage sets this to this bucket's name.

• retention_policy list block
  • is_locked optional - bool

  If set to true, the bucket will be locked and permanently restrict edits to the bucket's retention policy. Caution: Locking a bucket is an irreversible action.

  • retention_period required - number

  The period of time, in seconds, that objects in the bucket must be retained and cannot be deleted, overwritten, or archived. The value must be less than 3,155,760,000 seconds.

• versioning list block
  • enabled required - bool

  While set to true, versioning is fully enabled for this bucket.

• website list block
  • main_page_suffix optional - string

  Behaves as the bucket's directory index where missing objects are treated as potential directories.

  • not_found_page optional - string

  The custom object to return when a requested resource is not found.

Explanation in Terraform Registry

Creates a new bucket in Google cloud storage service (GCS). Once a bucket has been created, its location can't be changed. For more information see the official documentation and API. Note: If the project id is not set on the resource or in the provider block it will be dynamically determined which will require enabling the compute api.