diff --git a/5-app-infra/source_repos/service-catalog/modules/bucket/README.md b/5-app-infra/source_repos/service-catalog/modules/bucket/README.md
index e351f625..d7da8bba 100644
--- a/5-app-infra/source_repos/service-catalog/modules/bucket/README.md
+++ b/5-app-infra/source_repos/service-catalog/modules/bucket/README.md
@@ -123,21 +123,23 @@ The following table outlines which of the suggested controls for Vertex Generati
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| add\_random\_suffix | whether to add a random suffix to the bucket name | `bool` | `false` | no |
-| dual\_region\_locations | dual region description | `list(string)` | `[]` | no |
+| add\_random\_suffix | whether to add a random suffix to the bucket name. | `bool` | `false` | no |
+| dual\_region\_locations | dual region description. | `list(string)` | `[]` | no |
| force\_destroy | (Optional, Default: true) When deleting a bucket, this boolean option will delete all contained objects. If you try to delete a bucket that contains objects, Terraform will fail that run. | `bool` | `true` | no |
-| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"bkt"` | no |
-| labels | Labels to be attached to the buckets | `map(string)` | {
"classification": "dataclassification",
"label": "samplelabel",
"owner": "testowner"
} | no |
+| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket. | `string` | `"bkt"` | no |
+| kms\_keyring | The KMS keyring that will be used when selecting the KMS key, preferably this should be on the same region as var.location and the same environment.
This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION." | `string` | n/a | yes |
+| labels | Labels to be attached to the buckets. | `map(string)` | {
"classification": "dataclassification",
"label": "samplelabel",
"owner": "testowner"
} | no |
| lifecycle\_rules | List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches\_storage\_class should be a comma delimited string. | set(object({
# Object with keys:
# - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
# - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
action = map(string)
# Object with keys:
# - age - (Optional) Minimum age of an object in days to satisfy this condition.
# - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
# - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
# - matches_storage_class - (Optional) Comma delimited string for storage class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL.
# - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
# - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.
# - days_since_custom_time - (Optional) The number of days from the Custom-Time metadata attribute after which this condition becomes true.
# - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.
# - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.
condition = map(string)
})) | [
{
"action": {
"storage_class": "NEARLINE",
"type": "SetStorageClass"
},
"condition": {
"age": "30",
"matches_storage_class": "REGIONAL"
}
},
{
"action": {
"type": "Delete"
},
"condition": {
"with_state": "ARCHIVED"
}
}
]
| no |
-| name | name of bucket | `string` | n/a | yes |
+| log\_bucket | Bucket to store logs from the created bucket. This is the Env-level Log Bucket creted on 2-environments. | `string` | n/a | yes |
+| name | name of bucket. | `string` | n/a | yes |
| object\_folder\_temporary\_hold | Set root folder temporary hold according to security control GCS-CO-6.16, toggle off to allow for object deletion. | `bool` | `false` | no |
-| project\_id | Optional Project ID. | `string` | `null` | no |
+| project\_id | Project ID to create resources. | `string` | n/a | yes |
| region | The resource region, one of [us-central1, us-east4]. | `string` | `"us-central1"` | no |
| requester\_pays | Enables Requester Pays on a storage bucket. | `bool` | `false` | no |
-| retention\_policy | Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy | `any` | `{}` | no |
-| storage\_class | Storage class to create the bucket | `string` | `"STANDARD"` | no |
-| uniform\_bucket\_level\_access | Whether to have uniform access levels or not | `bool` | `true` | no |
-| versioning\_enabled | Whether to enable versioning or not | `bool` | `true` | no |
+| retention\_policy | Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy. | `any` | `{}` | no |
+| storage\_class | Storage class to create the bucket. | `string` | `"STANDARD"` | no |
+| uniform\_bucket\_level\_access | Whether to have uniform access levels or not. | `bool` | `true` | no |
+| versioning\_enabled | Whether to enable versioning or not. | `bool` | `true` | no |
## Outputs
diff --git a/5-app-infra/source_repos/service-catalog/modules/bucket/data.tf b/5-app-infra/source_repos/service-catalog/modules/bucket/data.tf
index 61a44b27..b45bc6cd 100644
--- a/5-app-infra/source_repos/service-catalog/modules/bucket/data.tf
+++ b/5-app-infra/source_repos/service-catalog/modules/bucket/data.tf
@@ -18,21 +18,7 @@ data "google_project" "project" {
project_id = var.project_id
}
-data "google_projects" "kms" {
- filter = "labels.application_name:env-kms labels.environment:${data.google_project.project.labels.environment} lifecycleState:ACTIVE"
-}
-
-data "google_kms_key_ring" "kms" {
- name = local.keyring_name
- location = var.region
- project = data.google_projects.kms.projects.0.project_id
-}
-
data "google_kms_crypto_key" "key" {
name = data.google_project.project.name
- key_ring = data.google_kms_key_ring.kms.id
-}
-
-data "google_projects" "log" {
- filter = "labels.application_name:env-logging labels.environment:${data.google_project.project.labels.environment} lifecycleState:ACTIVE"
+ key_ring = var.kms_keyring
}
diff --git a/5-app-infra/source_repos/service-catalog/modules/bucket/locals.tf b/5-app-infra/source_repos/service-catalog/modules/bucket/locals.tf
deleted file mode 100644
index c640c38e..00000000
--- a/5-app-infra/source_repos/service-catalog/modules/bucket/locals.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-/**
- * Copyright 2024 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-locals {
- log_bucket_prefix = "bkt"
- keyring_name = "sample-keyring"
-}
diff --git a/5-app-infra/source_repos/service-catalog/modules/bucket/main.tf b/5-app-infra/source_repos/service-catalog/modules/bucket/main.tf
index 1ab54cbf..ebcc73d6 100644
--- a/5-app-infra/source_repos/service-catalog/modules/bucket/main.tf
+++ b/5-app-infra/source_repos/service-catalog/modules/bucket/main.tf
@@ -16,8 +16,8 @@
resource "google_storage_bucket" "bucket" {
provider = google-beta
- name = join("-", [var.gcs_bucket_prefix, data.google_projects.log.projects.0.labels.env_code, var.name])
- project = data.google_project.project.project_id
+ name = join("-", [var.gcs_bucket_prefix, data.google_project.project.effective_labels.env_code, var.name])
+ project = var.project_id
location = upper(var.region)
dynamic "custom_placement_config" {
@@ -125,7 +125,7 @@ resource "google_storage_bucket" "bucket" {
#CRI Profile: DM.ED-7.1 DM.ED-7.2 DM.ED-7.3 DM.ED-7.4 PR.IP-1.4
logging {
- log_bucket = join("-", [local.log_bucket_prefix, data.google_projects.log.projects.0.project_id])
+ log_bucket = var.log_bucket
}
}
diff --git a/5-app-infra/source_repos/service-catalog/modules/bucket/variables.tf b/5-app-infra/source_repos/service-catalog/modules/bucket/variables.tf
index 9abddef7..50f5556a 100644
--- a/5-app-infra/source_repos/service-catalog/modules/bucket/variables.tf
+++ b/5-app-infra/source_repos/service-catalog/modules/bucket/variables.tf
@@ -16,7 +16,7 @@
variable "name" {
type = string
- description = "name of bucket"
+ description = "name of bucket."
}
variable "region" {
@@ -31,8 +31,8 @@ variable "region" {
variable "dual_region_locations" {
type = list(string)
+ description = "dual region description."
default = []
- description = "dual region description"
validation {
condition = length(var.dual_region_locations) == 0 || length(var.dual_region_locations) == 2
error_message = "Exactly 0 or 2 regions expected."
@@ -47,7 +47,7 @@ variable "force_destroy" {
variable "versioning_enabled" {
type = bool
- description = "Whether to enable versioning or not"
+ description = "Whether to enable versioning or not."
default = true
}
@@ -103,14 +103,14 @@ variable "lifecycle_rules" {
variable "retention_policy" {
type = any
+ description = "Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy."
default = {}
- description = "Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy"
}
variable "object_folder_temporary_hold" {
type = bool
- default = false
description = "Set root folder temporary hold according to security control GCS-CO-6.16, toggle off to allow for object deletion."
+ default = false
}
#Labeling Tag
@@ -119,8 +119,8 @@ variable "object_folder_temporary_hold" {
#CRI Profile: PR.IP-2.1 PR.IP-2.2 PR.IP-2.3
variable "labels" {
- description = "Labels to be attached to the buckets"
type = map(string)
+ description = "Labels to be attached to the buckets."
default = {
#Labelling tag
#Control ID: GCS-CO-6.4
@@ -146,20 +146,20 @@ variable "labels" {
}
variable "add_random_suffix" {
- description = "whether to add a random suffix to the bucket name"
type = bool
+ description = "whether to add a random suffix to the bucket name."
default = false
}
variable "uniform_bucket_level_access" {
- description = "Whether to have uniform access levels or not"
type = bool
+ description = "Whether to have uniform access levels or not."
default = true
}
variable "storage_class" {
type = string
- description = "Storage class to create the bucket"
+ description = "Storage class to create the bucket."
default = "STANDARD"
validation {
condition = contains(["STANDARD", "MULTI_REGIONAL", "REGIONAL", "NEARLINE", "COLDLINE", "ARCHIVE"], var.storage_class)
@@ -168,19 +168,31 @@ variable "storage_class" {
}
variable "requester_pays" {
- description = "Enables Requester Pays on a storage bucket."
type = bool
+ description = "Enables Requester Pays on a storage bucket."
default = false
}
variable "gcs_bucket_prefix" {
- description = "Name prefix to be used for GCS Bucket"
type = string
+ description = "Name prefix to be used for GCS Bucket."
default = "bkt"
}
variable "project_id" {
type = string
- description = "Optional Project ID."
- default = null
+ description = "Project ID to create resources."
+}
+
+variable "kms_keyring" {
+ type = string
+ description = <