From f038511fc58371f51255cc8921d31b0da82094f5 Mon Sep 17 00:00:00 2001 From: g-awmalik Date: Fri, 16 Dec 2022 14:42:47 -0800 Subject: [PATCH] fix: fixes lint issues and generates metadata (#207) Co-authored-by: Awais Malik --- Makefile | 2 +- build/int.cloudbuild.yaml | 2 +- build/lint.cloudbuild.yaml | 2 +- metadata.yaml | 271 ++++++++++++++++++++++++++++ modules/simple_bucket/metadata.yaml | 149 +++++++++++++++ versions.tf | 5 + 6 files changed, 428 insertions(+), 3 deletions(-) create mode 100644 metadata.yaml create mode 100644 modules/simple_bucket/metadata.yaml diff --git a/Makefile b/Makefile index 73948683..fd1a26fd 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.4 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.10 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index eece6b4f..c154519f 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -41,4 +41,4 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.4' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index 125312cb..aded0ca2 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -21,4 +21,4 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.4' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' diff --git a/metadata.yaml b/metadata.yaml new file mode 100644 index 00000000..146e7417 --- /dev/null +++ b/metadata.yaml @@ -0,0 +1,271 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-cloud-storage + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Terraform Google Cloud Storage Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-cloud-storage.git + sourceType: git + version: 3.4.0 + actuationTool: + type: Terraform + version: '>= 0.13' + subBlueprints: + - name: simple_bucket + location: modules/simple_bucket + examples: + - name: multiple_buckets + location: examples/multiple_buckets + - name: simple_bucket + location: examples/simple_bucket + variables: + - name: admins + description: IAM-style members who will be granted roles/storage.objectAdmin on all buckets. + type: list(string) + default: [] + required: false + - name: bucket_admins + description: Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket admins. + type: map(string) + default: {} + required: false + - name: bucket_creators + description: Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket creators. + type: map(string) + default: {} + required: false + - name: bucket_hmac_key_admins + description: Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket HMAC Key admins. + type: map(string) + default: {} + required: false + - name: bucket_lifecycle_rules + description: Additional lifecycle_rules for specific buckets. Map of lowercase unprefixed name => list of lifecycle rules to configure. + type: |- + map(set(object({ + # Object with keys: + # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass. + # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule. + action = map(string) + + # Object with keys: + # - age - (Optional) Minimum age of an object in days to satisfy this condition. + # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition. + # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY". + # - matches_storage_class - (Optional) Comma delimited string for storage class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY. + # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition. + # - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition. + # - days_since_custom_time - (Optional) The number of days from the Custom-Time metadata attribute after which this condition becomes true. + # - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object. + # - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent. + condition = map(string) + }))) + default: {} + required: false + - name: bucket_policy_only + description: Disable ad-hoc ACLs on specified buckets. Defaults to true. Map of lowercase unprefixed name => boolean + type: map(bool) + default: {} + required: false + - name: bucket_storage_admins + description: Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket storage admins. + type: map(string) + default: {} + required: false + - name: bucket_viewers + description: Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket viewers. + type: map(string) + default: {} + required: false + - name: cors + description: 'Set of maps of mixed type attributes for CORS values. See appropriate attribute types here: https://www.terraform.io/docs/providers/google/r/storage_bucket.html#cors' + type: set(any) + default: [] + required: false + - name: creators + description: IAM-style members who will be granted roles/storage.objectCreators on all buckets. + type: list(string) + default: [] + required: false + - name: default_event_based_hold + description: Enable event based hold to new objects added to specific bucket. Defaults to false. Map of lowercase unprefixed name => boolean + type: map(bool) + default: {} + required: false + - name: encryption_key_names + description: Optional map of lowercase unprefixed name => string, empty strings are ignored. + type: map(string) + default: {} + required: false + - name: folders + description: Map of lowercase unprefixed name => list of top level folder objects. + type: map(list(string)) + default: {} + required: false + - name: force_destroy + description: Optional map of lowercase unprefixed name => boolean, defaults to false. + type: map(bool) + default: {} + required: false + - name: hmac_key_admins + description: IAM-style members who will be granted roles/storage.hmacKeyAdmin on all buckets. + type: list(string) + default: [] + required: false + - name: labels + description: Labels to be attached to the buckets + type: map(string) + default: {} + required: false + - name: lifecycle_rules + description: List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches_storage_class should be a comma delimited string. + type: |- + set(object({ + # Object with keys: + # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass. + # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule. + action = map(string) + + # Object with keys: + # - age - (Optional) Minimum age of an object in days to satisfy this condition. + # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition. + # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY". + # - matches_storage_class - (Optional) Comma delimited string for storage class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY. + # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition. + # - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition. + # - days_since_custom_time - (Optional) The number of days from the Custom-Time metadata attribute after which this condition becomes true. + # - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object. + # - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent. + condition = map(string) + })) + default: [] + required: false + - name: location + description: Bucket location. + type: string + default: EU + required: false + - name: logging + description: Map of lowercase unprefixed name => bucket logging config object. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#logging + type: any + default: {} + required: false + - name: names + description: Bucket name suffixes. + type: list(string) + required: true + - name: prefix + description: Prefix used to generate the bucket name. + type: string + required: true + - name: project_id + description: Bucket project id. + type: string + required: true + - name: randomize_suffix + description: Adds an identical, but randomized 4-character suffix to all bucket names + type: bool + default: false + required: false + - name: retention_policy + description: Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy + type: any + default: {} + required: false + - name: set_admin_roles + description: Grant roles/storage.objectAdmin role to admins and bucket_admins. + type: bool + default: false + required: false + - name: set_creator_roles + description: Grant roles/storage.objectCreator role to creators and bucket_creators. + type: bool + default: false + required: false + - name: set_hmac_key_admin_roles + description: Grant roles/storage.hmacKeyAdmin role to hmac_key_admins and bucket_hmac_key_admins. + type: bool + default: false + required: false + - name: set_storage_admin_roles + description: Grant roles/storage.admin role to storage_admins and bucket_storage_admins. + type: bool + default: false + required: false + - name: set_viewer_roles + description: Grant roles/storage.objectViewer role to viewers and bucket_viewers. + type: bool + default: false + required: false + - name: storage_admins + description: IAM-style members who will be granted roles/storage.admin on all buckets. + type: list(string) + default: [] + required: false + - name: storage_class + description: Bucket storage class. + type: string + default: STANDARD + required: false + - name: versioning + description: Optional map of lowercase unprefixed name => boolean, defaults to false. + type: map(bool) + default: {} + required: false + - name: viewers + description: IAM-style members who will be granted roles/storage.objectViewer on all buckets. + type: list(string) + default: [] + required: false + - name: website + description: 'Map of website values. Supported attributes: main_page_suffix, not_found_page' + type: map(any) + default: {} + required: false + outputs: + - name: bucket + description: Bucket resource (for single use). + - name: buckets + description: Bucket resources as list. + - name: buckets_map + description: Bucket resources by name. + - name: name + description: Bucket name (for single use). + - name: names + description: Bucket names. + - name: names_list + description: List of bucket names. + - name: url + description: Bucket URL (for single use). + - name: urls + description: Bucket URLs. + - name: urls_list + description: List of bucket URLs. + roles: + - level: Project + roles: + - roles/storage.admin + - roles/iam.serviceAccountUser + services: + - iam.googleapis.com + - storage-api.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com diff --git a/modules/simple_bucket/metadata.yaml b/modules/simple_bucket/metadata.yaml new file mode 100644 index 00000000..53913a29 --- /dev/null +++ b/modules/simple_bucket/metadata.yaml @@ -0,0 +1,149 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-cloud-storage + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Terraform Google Cloud Storage Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-cloud-storage.git + sourceType: git + version: 3.4.0 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: multiple_buckets + location: examples/multiple_buckets + - name: simple_bucket + location: examples/simple_bucket + variables: + - name: bucket_policy_only + description: Enables Bucket Policy Only access to a bucket. + type: bool + default: true + required: false + - name: cors + description: Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors. + type: any + default: [] + required: false + - name: encryption + description: A Cloud KMS key that will be used to encrypt objects inserted into this bucket + type: |- + object({ + default_kms_key_name = string + }) + required: false + - name: force_destroy + description: When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. + type: bool + default: false + required: false + - name: iam_members + description: The list of IAM members to grant permissions on the bucket. + type: |- + list(object({ + role = string + member = string + })) + default: [] + required: false + - name: labels + description: A set of key/value label pairs to assign to the bucket. + type: map(string) + required: false + - name: lifecycle_rules + description: The bucket's Lifecycle Rules configuration. + type: |- + list(object({ + # Object with keys: + # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass. + # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule. + action = any + + # Object with keys: + # - age - (Optional) Minimum age of an object in days to satisfy this condition. + # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition. + # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY". + # - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY. + # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition. + condition = any + })) + default: [] + required: false + - name: location + description: The location of the bucket. + type: string + required: true + - name: log_bucket + description: The bucket that will receive log objects. + type: string + required: false + - name: log_object_prefix + description: The object prefix for log objects. If it's not provided, by default GCS sets this to this bucket's name + type: string + required: false + - name: name + description: The name of the bucket. + type: string + required: true + - name: project_id + description: The ID of the project to create the bucket in. + type: string + required: true + - name: retention_policy + description: Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. + type: |- + object({ + is_locked = bool + retention_period = number + }) + required: false + - name: storage_class + description: The Storage Class of the new bucket. + type: string + required: false + - name: versioning + description: While set to true, versioning is fully enabled for this bucket. + type: bool + default: true + required: false + - name: website + description: 'Map of website values. Supported attributes: main_page_suffix, not_found_page' + type: map(any) + default: {} + required: false + outputs: + - name: bucket + description: The created storage bucket + - name: name + description: Bucket name. + - name: url + description: Bucket URL. + roles: + - level: Project + roles: + - roles/storage.admin + - roles/iam.serviceAccountUser + services: + - iam.googleapis.com + - storage-api.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - serviceusage.googleapis.com diff --git a/versions.tf b/versions.tf index c7afd595..9af17225 100644 --- a/versions.tf +++ b/versions.tf @@ -22,6 +22,11 @@ terraform { source = "hashicorp/google" version = ">= 3.53, < 5.0" } + + random = { + source = "hashicorp/random" + version = "~> 3.0" + } } provider_meta "google" {