Google Cloud Storage Bucket

This page shows how to write Terraform for Cloud Storage Bucket and write them securely.

google_storage_bucket (Terraform)

The Bucket in Cloud Storage can be configured in Terraform with the resource name google_storage_bucket. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

storage.tf#L1
resource "google_storage_bucket" "quadrennium" {
  name = "quadrennium"
  location = "EU"
  storage_class = "MULTI_REGIONAL"
}

storage-buckets.tf#L2
resource "google_storage_bucket" "gitlab-backups" {
  name          = format("%s-gitlab-backups", var.project_id)
  force_destroy = true
  location      = var.region
}

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for google_storage_bucket

There is 1 setting in google_storage_bucket that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure uniform bucket-level access of your GCS bucket is enabled

It is better to enable uniform bucket-level access of the GCS bucket. Uniform bucket-level access unifies and simplifies how you grant access to resources in the bucket.

Review your Google Cloud Storage settings

You can check if the google_storage_bucket setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Enables Bucket Policy Only access to a bucket.

When deleting a bucket, this boolean option will delete all contained objects. If you try to delete a bucket that contains objects, Terraform will fail that run.

  • id optional computed - string
  • labels optional - map from string to string

A set of key/value label pairs to assign to the bucket.

The Google Cloud Storage location

The name of the bucket.

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Enables Requester Pays on a storage bucket.

The URI of the created resource.

The Storage Class of the new bucket. Supported values include: STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE.

Enables uniform bucket-level access on a bucket.

  • url optional computed - string

The base URL of the bucket, in the format gs://<bucket-name>.

  • cors list block

    The value, in seconds, to return in the Access-Control-Max-Age header used in preflight responses.

    The list of HTTP methods on which to include CORS response headers, (GET, OPTIONS, POST, etc) Note: "*" is permitted in the list of methods, and means "any method".

    The list of Origins eligible to receive CORS response headers. Note: "*" is permitted in the list of origins, and means "any Origin".

    The list of HTTP headers other than the simple response headers to give permission for the user-agent to share across domains.

  • encryption list block

    A Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified. You must pay attention to whether the crypto key is available in the location that this bucket is created in. See the docs for more details.

  • lifecycle_rule list block
    • action set block

      The target Storage Class of objects affected by this Lifecycle Rule. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE.

      The type of the action of this Lifecycle Rule. Supported values include: Delete and SetStorageClass.

    • condition set block
      • age optional - number

      Minimum age of an object in days to satisfy this condition.

      Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.

      Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.

      Number of days elapsed since the user-specified timestamp set on an object.

      Number of days elapsed since the noncurrent timestamp of an object. This condition is relevant only for versioned objects.

      Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE, STANDARD, DURABLE_REDUCED_AVAILABILITY.

      Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.

      Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.

      Match to live and/or archived objects. Unversioned buckets have only live objects. Supported values include: "LIVE", "ARCHIVED", "ANY".

  • logging list block

    The bucket that will receive log objects.

    The object prefix for log objects. If it's not provided, by default Google Cloud Storage sets this to this bucket's name.

  • retention_policy list block

    If set to true, the bucket will be locked and permanently restrict edits to the bucket's retention policy. Caution: Locking a bucket is an irreversible action.

    The period of time, in seconds, that objects in the bucket must be retained and cannot be deleted, overwritten, or archived. The value must be less than 3,155,760,000 seconds.

  • versioning list block

    While set to true, versioning is fully enabled for this bucket.

  • website list block

    Behaves as the bucket's directory index where missing objects are treated as potential directories.

    The custom object to return when a requested resource is not found.

Explanation in Terraform Registry

Creates a new bucket in Google cloud storage service (GCS). Once a bucket has been created, its location can't be changed. For more information see the official documentation and API. Note: If the project id is not set on the resource or in the provider block it will be dynamically determined which will require enabling the compute api.

Frequently asked questions

What is Google Cloud Storage Bucket?

Google Cloud Storage Bucket is a resource for Cloud Storage of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Storage Bucket?

For Terraform, the upodroid/conflux-k8 and loganrobertclemons/lrc-portfolio source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.