From 29d65811f3ed84b8c711655071fae020775d214e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Tue, 29 Mar 2022 07:42:15 +0200 Subject: [PATCH] Use uniform access on Cloud Functions buckets. (#596) * Use uniform access on Cloud Functions buckets. * Add ALLOW_INTERNAL_AND_GCLB as allowed ingress_settings. * Enable versiniong if there is lifecycle rule * Remove only non-current version of objects --- modules/cloud-function/README.md | 2 +- modules/cloud-function/main.tf | 19 +++++++++++++++---- modules/cloud-function/variables.tf | 2 +- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/modules/cloud-function/README.md b/modules/cloud-function/README.md index 46a5b458..6eac68bf 100644 --- a/modules/cloud-function/README.md +++ b/modules/cloud-function/README.md @@ -169,7 +169,7 @@ module "cf-http" { | [environment_variables](variables.tf#L46) | Cloud function environment variables. | map(string) | | {} | | [function_config](variables.tf#L52) | Cloud function configuration. | object({…}) | | {…} | | [iam](variables.tf#L70) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | -| [ingress_settings](variables.tf#L76) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY. | string | | null | +| [ingress_settings](variables.tf#L76) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | string | | null | | [labels](variables.tf#L82) | Resource labels. | map(string) | | {} | | [prefix](variables.tf#L93) | Optional prefix used for resource names. | string | | null | | [region](variables.tf#L104) | Region used for all resources. | string | | "europe-west1" | diff --git a/modules/cloud-function/main.tf b/modules/cloud-function/main.tf index 3a37a63f..949cb69b 100644 --- a/modules/cloud-function/main.tf +++ b/modules/cloud-function/main.tf @@ -103,9 +103,10 @@ resource "google_cloudfunctions_function_iam_binding" "default" { } resource "google_storage_bucket" "bucket" { - count = var.bucket_config == null ? 0 : 1 - project = var.project_id - name = "${local.prefix}${var.bucket_name}" + count = var.bucket_config == null ? 0 : 1 + project = var.project_id + name = "${local.prefix}${var.bucket_name}" + uniform_bucket_level_access = true location = ( var.bucket_config.location == null ? var.region @@ -117,7 +118,17 @@ resource "google_storage_bucket" "bucket" { for_each = var.bucket_config.lifecycle_delete_age == null ? [] : [""] content { action { type = "Delete" } - condition { age = var.bucket_config.lifecycle_delete_age } + condition { + age = var.bucket_config.lifecycle_delete_age + with_state = "ARCHIVED" + } + } + } + + dynamic "versioning" { + for_each = var.bucket_config.lifecycle_delete_age == null ? [] : [""] + content { + enabled = true } } } diff --git a/modules/cloud-function/variables.tf b/modules/cloud-function/variables.tf index 2ac663b1..a613b2f6 100644 --- a/modules/cloud-function/variables.tf +++ b/modules/cloud-function/variables.tf @@ -74,7 +74,7 @@ variable "iam" { } variable "ingress_settings" { - description = "Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY." + description = "Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY ." type = string default = null }