I am new to Terraform. There are many GCS buckets created through my terraform code. I am trying to apply a deny policy to restrict any console changes to be done on these buckets only and not the ones created directly from console. I do not want to hardcode all bucket names. Code structure has only root module.
- main.tf
- bucket.tf
- provider.tf
- variables.tf
- terraform.tfvars
#buckets.tf
resource "google_storage_bucket" "bucket_1" {
name = "bucket-1"
location = "us-east1"
force_destroy = true
uniform_bucket_level_access = true
}
resource "google_storage_bucket" "bucket_2" {
name = "bucket-2"
location = "us-east1"
force_destroy = true
uniform_bucket_level_access = true
}
.# creating many other buckets
.
.
# Trying to provide BUCKET PERMISSIONS for all buckets
resource "google_storage_bucket_iam_binding" "deny_changes_from_console" {
for_each = toset(local.buckets_list) #*** I need all buckets here dynamically as a list ***
bucket = each.key
role = "roles/storage.admin"
members = [
"serviceAccount:${var.serviceaccount_email}"
]
condition {
title = "Restrict console changes"
description = "Prevent non-admin users from making changes through the console"
expression = "resource.type == 'storage.googleapis.com/Bucket' && resource.name == '${each.key}' && request.auth.claims['email'] != '${var.tf_serviceaccount_email}'"
}
}
Basically I am trying to list all the buckets dynamically, so that when next time a bucket is created, we don't have to add the bucket name in the deny_changes_from_console
google_storage_bucket.buckets
resource?var.names
andgoogle_storage_bucket.buckets
looks like in your code?