diff --git a/modules/bq-log-alerting/logging/cloud_function/package.json b/modules/bq-log-alerting/logging/cloud_function/package.json index 91d95ac6..972974ac 100644 --- a/modules/bq-log-alerting/logging/cloud_function/package.json +++ b/modules/bq-log-alerting/logging/cloud_function/package.json @@ -1,6 +1,6 @@ { "dependencies": { - "@google-cloud/bigquery": ">=0.10.0", + "@google-cloud/bigquery": "^6.0.0", "@google-cloud/security-center": ">=3.0.1", "crypto-js": "^3.0.0" } diff --git a/modules/storage/README.md b/modules/storage/README.md index b2cc7112..8dfc3bd0 100644 --- a/modules/storage/README.md +++ b/modules/storage/README.md @@ -64,6 +64,7 @@ so that all dependencies are met. | location | The location of the storage bucket. | `string` | `"US"` | no | | log\_sink\_writer\_identity | The service account that logging uses to write log entries to the destination. (This is available as an output coming from the root module). | `string` | n/a | yes | | project\_id | The ID of the project in which the storage bucket will be created. | `string` | n/a | yes | +| public\_access\_prevention | Prevents public access to a bucket. Acceptable values are "inherited" or "enforced". If "inherited", the bucket uses public access prevention. only if the bucket is subject to the public access prevention organization policy constraint. | `string` | `"inherited"` | no | | retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | 
object({
    is_locked             = bool
    retention_period_days = number
  })
| `null` | no | | storage\_bucket\_labels | Labels to apply to the storage bucket. | `map(string)` | `{}` | no | | storage\_bucket\_name | The name of the storage bucket to be created and used for log entries matching the filter. | `string` | n/a | yes | diff --git a/modules/storage/main.tf b/modules/storage/main.tf index d3be119e..6e75b122 100644 --- a/modules/storage/main.tf +++ b/modules/storage/main.tf @@ -39,7 +39,7 @@ resource "google_storage_bucket" "bucket" { force_destroy = var.force_destroy uniform_bucket_level_access = var.uniform_bucket_level_access labels = var.storage_bucket_labels - + public_access_prevention = var.public_access_prevention versioning { enabled = var.versioning } diff --git a/modules/storage/metadata.yaml b/modules/storage/metadata.yaml index e9448885..1b0aaad4 100644 --- a/modules/storage/metadata.yaml +++ b/modules/storage/metadata.yaml @@ -139,6 +139,11 @@ spec: type: bool default: false required: false + - name: public_access_prevention + description: Prevents public access to a bucket. + type: string + default: inherited + required: false outputs: - name: console_link description: The console link to the destination storage bucket diff --git a/modules/storage/variables.tf b/modules/storage/variables.tf index 6f42f404..882a03de 100644 --- a/modules/storage/variables.tf +++ b/modules/storage/variables.tf @@ -105,3 +105,9 @@ variable "data_locations" { type = list(string) default = null } + +variable "public_access_prevention" { + description = "Prevents public access to a bucket. Acceptable values are \"inherited\" or \"enforced\". If \"inherited\", the bucket uses public access prevention. only if the bucket is subject to the public access prevention organization policy constraint." + type = string + default = "inherited" +} diff --git a/modules/storage/versions.tf b/modules/storage/versions.tf index b0f489da..53ef725e 100644 --- a/modules/storage/versions.tf +++ b/modules/storage/versions.tf @@ -20,7 +20,7 @@ terraform { google = { source = "hashicorp/google" - version = ">= 4.40, < 6" + version = ">= 4.42, < 5.0" } }