From 0d5d2ed9880e24e10116e407ce1e6e47c77e39f5 Mon Sep 17 00:00:00 2001 From: nandagirin Date: Tue, 12 Jul 2022 22:36:35 +0700 Subject: [PATCH 1/5] Implement event hold per bucket basis with default value set to false --- main.tf | 5 +++++ variables.tf | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/main.tf b/main.tf index cb31aea2..a9920d73 100644 --- a/main.tf +++ b/main.tf @@ -62,6 +62,11 @@ resource "google_storage_bucket" "buckets" { false, ) } + default_event_based_hold = lookup( + var.default_event_based_hold, + lower(each.value), + false, + ) # Having a permanent encryption block with default_kms_key_name = "" works but results in terraform applying a change every run # There is no enabled = false attribute available to ask terraform to ignore the block dynamic "encryption" { diff --git a/variables.tf b/variables.tf index 4ab76e34..f0185a3f 100644 --- a/variables.tf +++ b/variables.tf @@ -71,6 +71,12 @@ variable "bucket_policy_only" { default = {} } +variable "default_event_based_hold" { + description = "Enable event based hold to new objects added to specific bucket. Defaults to false. Map of lowercase unprefixed name => boolean" + type = map(bool) + default = {} +} + variable "admins" { description = "IAM-style members who will be granted roles/storage.objectAdmin on all buckets." type = list(string) From b81836a2c7fb3020a334b127645b09c63349ca08 Mon Sep 17 00:00:00 2001 From: nandagirin Date: Tue, 12 Jul 2022 22:37:10 +0700 Subject: [PATCH 2/5] Update multiple_buckets example with implementation of default_event_based_hold --- examples/multiple_buckets/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/examples/multiple_buckets/main.tf b/examples/multiple_buckets/main.tf index 53858d24..99cf0011 100644 --- a/examples/multiple_buckets/main.tf +++ b/examples/multiple_buckets/main.tf @@ -44,4 +44,8 @@ module "cloud_storage" { matches_storage_class = "MULTI_REGIONAL,STANDARD,DURABLE_REDUCED_AVAILABILITY" } }] + + default_event_based_hold = { + "two" = true + } } From c2c2b239b655c26ba332d3648643668e4b0b3403 Mon Sep 17 00:00:00 2001 From: nandagirin Date: Tue, 12 Jul 2022 22:37:38 +0700 Subject: [PATCH 3/5] Update README with new optional input of default_event_based_hold --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ac66ee33..49249ee1 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,7 @@ Functional examples are included in the | bucket\_viewers | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket viewers. | `map(string)` | `{}` | no | | cors | Set of maps of mixed type attributes for CORS values. See appropriate attribute types here: https://www.terraform.io/docs/providers/google/r/storage_bucket.html#cors | `set(any)` | `[]` | no | | creators | IAM-style members who will be granted roles/storage.objectCreators on all buckets. | `list(string)` | `[]` | no | +| default\_event\_based\_hold | Enable event based hold to new objects added to specific bucket. Defaults to false. Map of lowercase unprefixed name => boolean | `map(bool)` | `{}` | no | | encryption\_key\_names | Optional map of lowercase unprefixed name => string, empty strings are ignored. | `map(string)` | `{}` | no | | folders | Map of lowercase unprefixed name => list of top level folder objects. | `map(list(string))` | `{}` | no | | force\_destroy | Optional map of lowercase unprefixed name => boolean, defaults to false. | `map(bool)` | `{}` | no | From 0bfb571987b428662359ded7f78413f00b14f95d Mon Sep 17 00:00:00 2001 From: nandagirin Date: Fri, 15 Jul 2022 06:32:42 +0700 Subject: [PATCH 4/5] Set example bucket with event hold to bucket with name "one" --- examples/multiple_buckets/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/multiple_buckets/main.tf b/examples/multiple_buckets/main.tf index 99cf0011..17ed516e 100644 --- a/examples/multiple_buckets/main.tf +++ b/examples/multiple_buckets/main.tf @@ -46,6 +46,6 @@ module "cloud_storage" { }] default_event_based_hold = { - "two" = true + "one" = true } } From 9591c62f0081e0742662b63804a5b923753a31dd Mon Sep 17 00:00:00 2001 From: nandagirin Date: Fri, 15 Jul 2022 06:33:00 +0700 Subject: [PATCH 5/5] Define assertion to test whether defaultEventBasedHold is enabled --- test/integration/multiple_buckets/multiple_buckets_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/integration/multiple_buckets/multiple_buckets_test.go b/test/integration/multiple_buckets/multiple_buckets_test.go index 92d41f49..7a0af318 100644 --- a/test/integration/multiple_buckets/multiple_buckets_test.go +++ b/test/integration/multiple_buckets/multiple_buckets_test.go @@ -51,9 +51,11 @@ func TestMultipleBuckets(t *testing.T) { case "one": // bucket with suffix one assert.True(op.Get("metadata.iamConfiguration.bucketPolicyOnly.enabled").Bool(), "bucketPolicyOnly is enabled") + assert.True(op.Get("metadata.defaultEventBasedHold").Bool(), "defaultEventBasedHold is enabled") case "two": // bucket with suffix two assert.False(op.Get("metadata.iamConfiguration.bucketPolicyOnly.enabled").Bool(), "bucketPolicyOnly is disabled") + assert.False(op.Get("metadata.defaultEventBasedHold").Bool(), "defaultEventBasedHold is disabled") gcloud.Run(t, fmt.Sprintf("alpha storage ls --buckets gs://%s/dev/", bucketName), gcloudArgs) gcloud.Run(t, fmt.Sprintf("alpha storage ls --buckets gs://%s/prod/", bucketName), gcloudArgs) default: