Add module for creating Bucket with Policy.

otto-de · Dec 16, 2024 · d48e863 · d48e863
1 parent ab02964
commit d48e863
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 0 deletions.
diff --git a/tf/bucket/main.tf b/tf/bucket/main.tf
@@ -0,0 +1,47 @@
+data "google_iam_policy" "main_bucket" {
+  dynamic "binding" {
+    for_each = var.admins == [] ? [] : [var.admins]
+    content {
+      role    = "roles/storage.objectAdmin"
+      members = binding.value
+    }
+  }
+
+  dynamic "binding" {
+    for_each = var.users == [] ? [] : [var.users]
+    content {
+      role    = "roles/storage.objectUser"
+      members = binding.value
+    }
+  }
+
+
+  dynamic "binding" {
+    for_each = var.viewers == [] ? [] : [var.viewers]
+    content {
+      role    = "roles/storage.objectViewer"
+      members = binding.value
+    }
+  }
+}
+
+resource "google_storage_bucket" "main" {
+  name = var.name
+
+  location = var.location
+
+  force_destroy               = var.force_destroy
+  uniform_bucket_level_access = true
+
+  dynamic "retention_policy" {
+    for_each = var.retention_policy == null ? [] : [var.retention_policy]
+    content {
+      retention_period = each.retention_period
+    }
+  }
+}
+
+resource "google_storage_bucket_iam_policy" "main" {
+  bucket      = google_storage_bucket.main.name
+  policy_data = data.google_iam_policy.main_bucket.policy_data
+}
diff --git a/tf/bucket/outputs.tf b/tf/bucket/outputs.tf
@@ -0,0 +1,4 @@
+output "name" {
+  description = "The name of the bucket."
+  value       = google_storage_bucket.main.name
+}
diff --git a/tf/bucket/variables.tf b/tf/bucket/variables.tf
@@ -0,0 +1,43 @@
+
+variable "name" {
+  description = "The name of the bucket."
+  type        = string
+}
+
+variable "location" {
+  description = "The Google Cloud Storage location"
+  type        = string
+  default     = "europe-west1"
+}
+
+variable "force_destroy" {
+  description = "When deleting a bucket, this boolean option will delete all contained objects. If you try to delete a bucket that contains objects, Terraform will fail that run."
+  type        = bool
+  default     = false
+}
+
+
+variable "admins" {
+  description = "IAM-style members who will be granted roles/storage.objectAdmin on bucket."
+  type        = list(string)
+  default     = []
+}
+
+variable "viewers" {
+  description = "IAM-style members who will be granted roles/storage.objectViewer on bucket."
+  type        = list(string)
+  default     = []
+}
+
+variable "users" {
+  description = "IAM-style members who will be granted roles/storage.objectUser on bucket."
+  type        = list(string)
+  default     = []
+}
+
+variable "retention_policy" {
+  type        = map(any)
+  nullable    = true
+  default     = null
+  description = "Configuration of the bucket's data retention policy for how long objects in the bucket should be retained."
+}