From 1306f67b96f5ca7fb315f3b263588f15b585fc29 Mon Sep 17 00:00:00 2001
From: devuonocar <carlo11.devuono@nttdata.com>
Date: Mon, 30 Oct 2023 18:23:33 +0100
Subject: [PATCH] Add public_access_prevention

---
 modules/gcs/README.md    | 1 +
 modules/gcs/main.tf      | 1 +
 modules/gcs/variables.tf | 6 ++++++
 3 files changed, 8 insertions(+)

diff --git a/modules/gcs/README.md b/modules/gcs/README.md
index 8a26958d..a04f9656 100644
--- a/modules/gcs/README.md
+++ b/modules/gcs/README.md
@@ -196,6 +196,7 @@ module "bucket" {
 | [notification_config](variables.tf#L169) | GCS Notification configuration. | <code title="object&#40;&#123;&#10;  enabled            &#61; bool&#10;  payload_format     &#61; string&#10;  topic_name         &#61; string&#10;  sa_email           &#61; string&#10;  event_types        &#61; optional&#40;list&#40;string&#41;&#41;&#10;  custom_attributes  &#61; optional&#40;map&#40;string&#41;&#41;&#10;  object_name_prefix &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [objects_to_upload](variables.tf#L183) | Objects to be uploaded to bucket. | <code title="map&#40;object&#40;&#123;&#10;  name                &#61; string&#10;  metadata            &#61; optional&#40;map&#40;string&#41;&#41;&#10;  content             &#61; optional&#40;string&#41;&#10;  source              &#61; optional&#40;string&#41;&#10;  cache_control       &#61; optional&#40;string&#41;&#10;  content_disposition &#61; optional&#40;string&#41;&#10;  content_encoding    &#61; optional&#40;string&#41;&#10;  content_language    &#61; optional&#40;string&#41;&#10;  content_type        &#61; optional&#40;string&#41;&#10;  event_based_hold    &#61; optional&#40;bool&#41;&#10;  temporary_hold      &#61; optional&#40;bool&#41;&#10;  detect_md5hash      &#61; optional&#40;string&#41;&#10;  storage_class       &#61; optional&#40;string&#41;&#10;  kms_key_name        &#61; optional&#40;string&#41;&#10;  customer_encryption &#61; optional&#40;object&#40;&#123;&#10;    encryption_algorithm &#61; optional&#40;string&#41;&#10;    encryption_key       &#61; string&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [prefix](variables.tf#L209) | Optional prefix used to generate the bucket name. | <code>string</code> |  | <code>null</code> |
+| [public_access_prevention](variables.tf#L224) | Prevents public access to a bucket. Acceptable values are inherited or enforced. If inherited, the bucket uses public access prevention, only if the bucket is subject to the public access prevention organization policy constraint. | <code>string</code> |  | <code>&#34;inherited&#34;</code> |
 | [requester_pays](variables.tf#L224) | Enables Requester Pays on a storage bucket. | <code>bool</code> |  | <code>null</code> |
 | [retention_policy](variables.tf#L230) | Bucket retention policy. | <code title="object&#40;&#123;&#10;  retention_period &#61; number&#10;  is_locked        &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [storage_class](variables.tf#L239) | Bucket storage class. | <code>string</code> |  | <code>&#34;MULTI_REGIONAL&#34;</code> |
diff --git a/modules/gcs/main.tf b/modules/gcs/main.tf
index 1341e707..c19c7912 100644
--- a/modules/gcs/main.tf
+++ b/modules/gcs/main.tf
@@ -29,6 +29,7 @@ resource "google_storage_bucket" "bucket" {
   labels                      = var.labels
   default_event_based_hold    = var.default_event_based_hold
   requester_pays              = var.requester_pays
+  public_access_prevention    = var.public_access_prevention
   versioning {
     enabled = var.versioning
   }
diff --git a/modules/gcs/variables.tf b/modules/gcs/variables.tf
index 350c74ba..4f7b9274 100644
--- a/modules/gcs/variables.tf
+++ b/modules/gcs/variables.tf
@@ -221,6 +221,12 @@ variable "project_id" {
   type        = string
 }
 
+variable "public_access_prevention" {
+  description = "Prevents public access to a bucket. Acceptable values are inherited or enforced. If inherited, the bucket uses public access prevention, only if the bucket is subject to the public access prevention organization policy constraint."
+  type        = string
+  default     = "inherited"
+}
+
 variable "requester_pays" {
   description = "Enables Requester Pays on a storage bucket."
   type        = bool