0

I am new to Terraform. There are many GCS buckets created through my terraform code. I am trying to apply a deny policy to restrict any console changes to be done on these buckets only and not the ones created directly from console. I do not want to hardcode all bucket names. Code structure has only root module.

  • main.tf
  • bucket.tf
  • provider.tf
  • variables.tf
  • terraform.tfvars
#buckets.tf
resource "google_storage_bucket" "bucket_1" {
  name          = "bucket-1"
  location      = "us-east1"
  force_destroy = true
  uniform_bucket_level_access = true
}
resource "google_storage_bucket" "bucket_2" {
  name          = "bucket-2"
  location      = "us-east1"
  force_destroy = true
  uniform_bucket_level_access = true
}
.# creating many other buckets
.
.
# Trying to provide BUCKET PERMISSIONS for all buckets 
resource "google_storage_bucket_iam_binding" "deny_changes_from_console" {
  for_each = toset(local.buckets_list) #*** I need all buckets here dynamically as a list ***
  bucket   = each.key
  role     = "roles/storage.admin"
  members = [
    "serviceAccount:${var.serviceaccount_email}"
  ]
  condition {
    title       = "Restrict console changes"
    description = "Prevent non-admin users from making changes through the console"
    expression  = "resource.type == 'storage.googleapis.com/Bucket' && resource.name == '${each.key}' && request.auth.claims['email'] != '${var.tf_serviceaccount_email}'"
  }
}

Basically I am trying to list all the buckets dynamically, so that when next time a bucket is created, we don't have to add the bucket name in the deny_changes_from_console

Improve this question
7
  • Where is the google_storage_bucket.buckets resource?
    – Rui Jarimba
    Commented Jul 10 at 10:05
  • That's where I am confused, will this resource have all the buckets? I have written it in the same buckets.tf where I am trying to deny the access. What should I define inside - resource "google_storage_bucket" "buckets" { }
    – adk
    Commented Jul 10 at 10:12
  • 1
    Can you paste how var.names and google_storage_bucket.buckets looks like in your code?
    – Filip
    Commented Jul 10 at 10:46
  • Same module or different module? Please edit your question and add the relevant code.
    – Rui Jarimba
    Commented Jul 10 at 10:46
  • @Filip Am not sure what needs to be added to there.
    – adk
    Commented Jul 10 at 12:54

1 Answer 1

Reset to default
0

You can use a module for this - create your own or use the one provided by Google.

A module can take as an argument the name of a bucket and other required parameters and inside a module you can implement the creation of the bucket and iam bindings. Take a look at the source code of the Google-provided module so you will get an idea of how it can be done if you choose to create your own module.

Of course, this solution can be applied to new buckets - already existing buckets in your code will stay the same or you can refactor your code and move these buckets to your new module using moved block.

Improve this answer
1

Not the answer you're looking for? Browse other questions tagged or ask your own question.