refactor: fix filter by label on bucket module

5-app-infra/source_repos/service-catalog/modules/bucket/README.md

@@ -123,21 +123,23 @@ The following table outlines which of the suggested controls for Vertex Generati
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| add\_random\_suffix | whether to add a random suffix to the bucket name | `bool` | `false` | no |
-| dual\_region\_locations | dual region description | `list(string)` | `[]` | no |
+| add\_random\_suffix | whether to add a random suffix to the bucket name. | `bool` | `false` | no |
+| dual\_region\_locations | dual region description. | `list(string)` | `[]` | no |
 | force\_destroy | (Optional, Default: true) When deleting a bucket, this boolean option will delete all contained objects. If you try to delete a bucket that contains objects, Terraform will fail that run. | `bool` | `true` | no |
-| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"bkt"` | no |
-| labels | Labels to be attached to the buckets | `map(string)` | <pre>{<br>  "classification": "dataclassification",<br>  "label": "samplelabel",<br>  "owner": "testowner"<br>}</pre> | no |
+| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket. | `string` | `"bkt"` | no |
+| kms\_keyring | The KMS keyring that will be used when selecting the KMS key, preferably this should be on the same region as var.location and the same environment.<br>This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION." | `string` | n/a | yes |
+| labels | Labels to be attached to the buckets. | `map(string)` | <pre>{<br>  "classification": "dataclassification",<br>  "label": "samplelabel",<br>  "owner": "testowner"<br>}</pre> | no |
 | lifecycle\_rules | List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches\_storage\_class should be a comma delimited string. | <pre>set(object({<br>    # Object with keys:<br>    # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.<br>    # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.<br>    action = map(string)<br><br>    # Object with keys:<br>    # - age - (Optional) Minimum age of an object in days to satisfy this condition.<br>    # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.<br>    # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".<br>    # - matches_storage_class - (Optional) Comma delimited string for storage class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL.<br>    # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.<br>    # - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.<br>    # - days_since_custom_time - (Optional) The number of days from the Custom-Time metadata attribute after which this condition becomes true.<br>    # - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.<br>    # - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.<br>    condition = map(string)<br>  }))</pre> | <pre>[<br>  {<br>    "action": {<br>      "storage_class": "NEARLINE",<br>      "type": "SetStorageClass"<br>    },<br>    "condition": {<br>      "age": "30",<br>      "matches_storage_class": "REGIONAL"<br>    }<br>  },<br>  {<br>    "action": {<br>      "type": "Delete"<br>    },<br>    "condition": {<br>      "with_state": "ARCHIVED"<br>    }<br>  }<br>]</pre> | no |
-| name | name of bucket | `string` | n/a | yes |
+| log\_bucket | Bucket to store logs from the created bucket. This is the Env-level Log Bucket creted on 2-environments. | `string` | n/a | yes |
+| name | name of bucket. | `string` | n/a | yes |
 | object\_folder\_temporary\_hold | Set root folder temporary hold according to security control GCS-CO-6.16, toggle off to allow for object deletion. | `bool` | `false` | no |
-| project\_id | Optional Project ID. | `string` | `null` | no |
+| project\_id | Project ID to create resources. | `string` | n/a | yes |
 | region | The resource region, one of [us-central1, us-east4]. | `string` | `"us-central1"` | no |
 | requester\_pays | Enables Requester Pays on a storage bucket. | `bool` | `false` | no |
-| retention\_policy | Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy | `any` | `{}` | no |
-| storage\_class | Storage class to create the bucket | `string` | `"STANDARD"` | no |
-| uniform\_bucket\_level\_access | Whether to have uniform access levels or not | `bool` | `true` | no |
-| versioning\_enabled | Whether to enable versioning or not | `bool` | `true` | no |
+| retention\_policy | Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy. | `any` | `{}` | no |
+| storage\_class | Storage class to create the bucket. | `string` | `"STANDARD"` | no |
+| uniform\_bucket\_level\_access | Whether to have uniform access levels or not. | `bool` | `true` | no |
+| versioning\_enabled | Whether to enable versioning or not. | `bool` | `true` | no |
 
 ## Outputs
 

5-app-infra/source_repos/service-catalog/modules/bucket/data.tf

@@ -18,21 +18,7 @@ data "google_project" "project" {
   project_id = var.project_id
 }
 
-data "google_projects" "kms" {
-  filter = "labels.application_name:env-kms labels.environment:${data.google_project.project.labels.environment} lifecycleState:ACTIVE"
-}
-
-data "google_kms_key_ring" "kms" {
-  name     = local.keyring_name
-  location = var.region
-  project  = data.google_projects.kms.projects.0.project_id
-}
-
 data "google_kms_crypto_key" "key" {
   name     = data.google_project.project.name
-  key_ring = data.google_kms_key_ring.kms.id
-}
-
-data "google_projects" "log" {
-  filter = "labels.application_name:env-logging labels.environment:${data.google_project.project.labels.environment} lifecycleState:ACTIVE"
+  key_ring = var.kms_keyring
 }

5-app-infra/source_repos/service-catalog/modules/bucket/main.tf

@@ -16,8 +16,8 @@
 
 resource "google_storage_bucket" "bucket" {
   provider = google-beta
-  name     = join("-", [var.gcs_bucket_prefix, data.google_projects.log.projects.0.labels.env_code, var.name])
-  project  = data.google_project.project.project_id
+  name     = join("-", [var.gcs_bucket_prefix, data.google_project.project.effective_labels.env_code, var.name])
+  project  = var.project_id
   location = upper(var.region)
 
   dynamic "custom_placement_config" {
@@ -125,7 +125,7 @@ resource "google_storage_bucket" "bucket" {
   #CRI Profile: DM.ED-7.1 DM.ED-7.2 DM.ED-7.3 DM.ED-7.4 PR.IP-1.4
 
   logging {
-    log_bucket = join("-", [local.log_bucket_prefix, data.google_projects.log.projects.0.project_id])
+    log_bucket = var.log_bucket
   }
 }
 

5-app-infra/source_repos/service-catalog/modules/bucket/variables.tf

@@ -16,7 +16,7 @@
 
 variable "name" {
   type        = string
-  description = "name of bucket"
+  description = "name of bucket."
 }
 
 variable "region" {
@@ -31,8 +31,8 @@ variable "region" {
 
 variable "dual_region_locations" {
   type        = list(string)
+  description = "dual region description."
   default     = []
-  description = "dual region description"
   validation {
     condition     = length(var.dual_region_locations) == 0 || length(var.dual_region_locations) == 2
     error_message = "Exactly 0 or 2 regions expected."
@@ -47,7 +47,7 @@ variable "force_destroy" {
 
 variable "versioning_enabled" {
   type        = bool
-  description = "Whether to enable versioning or not"
+  description = "Whether to enable versioning or not."
   default     = true
 }
 
@@ -103,14 +103,14 @@ variable "lifecycle_rules" {
 
 variable "retention_policy" {
   type        = any
+  description = "Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy."
   default     = {}
-  description = "Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy"
 }
 
 variable "object_folder_temporary_hold" {
   type        = bool
-  default     = false
   description = "Set root folder temporary hold according to security control GCS-CO-6.16, toggle off to allow for object deletion."
+  default     = false
 }
 
 #Labeling Tag
@@ -119,8 +119,8 @@ variable "object_folder_temporary_hold" {
 #CRI Profile: PR.IP-2.1 PR.IP-2.2 PR.IP-2.3
 
 variable "labels" {
-  description = "Labels to be attached to the buckets"
   type        = map(string)
+  description = "Labels to be attached to the buckets."
   default = {
     #Labelling tag
     #Control ID: GCS-CO-6.4
@@ -146,20 +146,20 @@ variable "labels" {
 }
 
 variable "add_random_suffix" {
-  description = "whether to add a random suffix to the bucket name"
   type        = bool
+  description = "whether to add a random suffix to the bucket name."
   default     = false
 }
 
 variable "uniform_bucket_level_access" {
-  description = "Whether to have uniform access levels or not"
   type        = bool
+  description = "Whether to have uniform access levels or not."
   default     = true
 }
 
 variable "storage_class" {
   type        = string
-  description = "Storage class to create the bucket"
+  description = "Storage class to create the bucket."
   default     = "STANDARD"
   validation {
     condition     = contains(["STANDARD", "MULTI_REGIONAL", "REGIONAL", "NEARLINE", "COLDLINE", "ARCHIVE"], var.storage_class)
@@ -168,19 +168,31 @@ variable "storage_class" {
 }
 
 variable "requester_pays" {
-  description = "Enables Requester Pays on a storage bucket."
   type        = bool
+  description = "Enables Requester Pays on a storage bucket."
   default     = false
 }
 
 variable "gcs_bucket_prefix" {
-  description = "Name prefix to be used for GCS Bucket"
   type        = string
+  description = "Name prefix to be used for GCS Bucket."
   default     = "bkt"
 }
 
 variable "project_id" {
   type        = string
-  description = "Optional Project ID."
-  default     = null
+  description = "Project ID to create resources."
+}
+
+variable "kms_keyring" {
+  type        = string
+  description = <<EOF
+The KMS keyring that will be used when selecting the KMS key, preferably this should be on the same region as var.location and the same environment.
+This value can be obtained by running "gcloud kms keyrings list --project=KMS_PROJECT_ID --location=REGION."
+EOF
+}
+
+variable "log_bucket" {
+  type        = string
+  description = "Bucket to store logs from the created bucket. This is the Env-level Log Bucket creted on 2-environments."
 }