This module creates a bucket on Google Cloud Platform that can be used by a web application (such as a Drupal application) and returns the relevant login credentials.
As default the module (but is configurable) also creates a disaster recovery procedure that takes care of daily backup of the application bucket to a second bucket, which is useful in case of compromise.
By default, the disaster recovery bucket is created in the same region as the application bucket, but if you want to increase security you can specify a different region to be safe from catastrophic events that compromise an entire region.
To enable disaster recovery, the API "storagetransfer.googleapis.com" must be enabled.
The input variale buckets_list is a list of objects, each object representing
a bucket resource with configurable parameters; this is the single object
structure:
{
name = string
force_destroy = optional(bool, false)
append_random_suffix = optional(bool, true)
location = optional(string, null)
storage_class = optional(string, "STANDARD")
enable_versioning = optional(bool, true)
enable_disaster_recovery = optional(bool, true)
set_all_users_as_viewer = optional(bool, false)
labels = optional(map(string), {})
tag_list = optional(list(string), [])
bucket_obj_adm = optional(list(string), [])
bucket_obj_vwr = optional(list(string), [])
}The only mandatory parameter is the name of the bucket, the rest are optional with the defaults values shown above.
The property set_all_users_as_viewer controls if the bucket content will be
readable by anonymous users (default false).
You can also pass a map of key/value label pairs to assign to the bucket using
the labels property, i.e. { env = "stage", app = "mysite" }.
You can also pass a list of tags values written in the user-friendly name
<TAG_KEY_SHORTNAME>/<TAG_VALUE_SHORTNAME>, i.e. ["dev/editor","ops/admin"]) to
bind to the buckets using the tag_list property. The tags must exist in the
Google project, otherwise the module will fail.
The module also accepts a list of global_tags, which are tags that will be applied as default to all the buckets created by the module, but if a bucket specifies a list of tags, the global tags will be overridden by the single bucket tags.
You can optionally pass a list of bucket writers or reader in the form
comma-delimited IAM-style (i.e ["group:[email protected]", "user:[email protected]"]), to assign a
roles/storage.objectAdmin for writers or roles/storage.objectViewer for
readers to the pricipals set.
By default, the module will append a random suffix to the name of the bucket to
prevent name collisions. If you want to disable this feature, set the
append_random_suffix to false for the given bucket. This may be useful if
want to import existing buckets with a known name.
| Name | Version |
|---|---|
| >= 4.47.0 | |
| random | >= 3.4.3 |
| Name | Version |
|---|---|
| terraform | >= 1.2 |
| >= 4.47.0 | |
| random | >= 3.4.3 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| buckets_list | The list of buckets to create. For each bucket you can specify the name, when deleting a bucket the force_destroy option will delete the contents of the bucket (if you try to delete a bucket that contains objects, Terraform will fail that run), the location (default to project region), the storage class (default to STANDARD), if you want enable the object versioning (default to true), if you want to plan a disaster recovery with the creation of a mirroring bucket with a scheduled transfer job and if you want to append a random suffix to the bucket name (default true). The property set_all_users_as_viewer controls if the bucket will be readable by all users (default false). The property labels set labels to organize buckets. The property tag_list set google tags to bind with the bucket for fine grained access control. Properties bucket_obj_vwr and bucket_obj_adm set a list of specific IAM members as objectViewers and objectAdmin | list(object({ |
n/a | yes |
| disaster_recovery_bucket_location | The location in which the disaster recovery bucket will be created. For a list of available regions, see https://cloud.google.com/storage/docs/locations. By default, the disaster recovery bucket will be created in the same location as the primary bucket. | string |
"" |
no |
| global_tags | A list of tags to be applied to all the resources, in the form <TAG_KEY_SHORTNAME>/<TAG_VALUE_SHORTNAME>. If a resource specify a list of tags, the global tags will be overridden and replaced by those specified in the resource. | list(string) |
[] |
no |
| logging_bucket_name | The name of the logging bucket. If not set, no logging bucket will be added and bucket logs will be disabled. | string |
"" |
no |
| project_id | The Google Cloud project ID to deploy to. | string |
n/a | yes |
| transfer_job_excluded_prefixes | A list of object file and folder prefixes that will be excluded from the transfer job. The default is designed for a typical Drupal application. | list(string) |
[ |
no |
| Name | Description |
|---|---|
| buckets_access_credentials | Access credentials for the application buckets |
| details_of_used_tag_keys | Details of all the tag keys passed to this module (globals and per bucket). |
| details_of_used_tag_values | Details of all the tag values passed to this module (globals and per bucket). |
| generated_bucket_names | The list with the names of the buckets managed by this module. |
| Name | Type |
|---|---|
| google_service_account.application_bucket | resource |
| google_storage_bucket.application | resource |
| google_storage_bucket.disaster_recovery | resource |
| google_storage_bucket_iam_member.default_storage_admin | resource |
| google_storage_bucket_iam_member.default_storage_viewer | resource |
| google_storage_bucket_iam_member.disaster_recovery_legacy_reader | resource |
| google_storage_bucket_iam_member.disaster_recovery_legacy_writer | resource |
| google_storage_bucket_iam_member.objadmin | resource |
| google_storage_bucket_iam_member.viewer | resource |
| google_storage_hmac_key.bucket_hmackey | resource |
| google_storage_transfer_job.application_bucket_nightly_backup | resource |
| google_tags_location_tag_binding.binding | resource |
| random_id.resources_suffix | resource |
| google_client_config.current | data source |
| google_storage_transfer_project_service_account.default | data source |
| google_tags_tag_key.tag_keys | data source |
| google_tags_tag_value.tag_values | data source |
No modules.