Import Auto-generated GCS Buckets & Encrypt Objects with CMEKs, Configure Lifecycle settings

· Import the existing resources into terraform state
∘ Procedure
· Encrypting the Auto-generated GCS Buckets with CMEKs
· Lifecycle Rules for Storage Bucket Objects
· Reference for Auto-Generated Buckets

Import the existing resources into terraform state

terraform import command is used to import existing infrastructure at a time.

Terraform allows one resource import at a time. Though, workflow can be improved in future versions of terraform as per the Import Usage Documentation.

Procedure

• GCS Bucket generated by cloud function on different regions.

Importing gcs cloud function asia-south-1 bucket into tfstate.

• Create import_gcs.tf file to import the auto generated GCS buckets. Specify resource module for google_storage_bucket.

## Import GCS Buckets into TF STATE.
resource "google_storage_bucket" "gcf-asia-south-1" {
}

• Run terraform import command to import the bucket.

Storage buckets can be imported using the name or project/name. If the project is not passed to the import command it will be inferred from the provider block or environment variables. If it cannot be inferred it will be queried from the Compute API (this will fail if the API is not enabled)

terraform import google_storage_bucket.gcf-asia-south-1 gcf-sources-607906002488-asia-south1

Resource is successfully imported into tfstate. terraform state list returns

terraform state list
google_storage_bucket.gcf-asia-south-1

• Run terraform plan to verify the existing configuration of the resource & update the same in imported resource module.

Execution plan MUST match the existing GCP resource or else it would destroy and recreate the resource with state configuration.

After updating the resource module wrt plan, the tfstate configuration and existing resource configuration are getting matched.

## Import GCS Buckets into TF STATE.
resource "google_storage_bucket" "gcf-asia-south-1" {
name = "gcf-sources-607906002488-asia-south1"
location = "ASIA-SOUTH1"
project = "devops-dev-prj"
uniform_bucket_level_access = true
cors {
max_age_seconds = 0
method = [
"GET",
]
origin = [
"https://*.cloud.google.com",
"https://*.corp.google.com",
"https://*.corp.google.com:*",
]
response_header = []
}
}

Execution Plan returns no changes to be done.

• Same procedure should be used for other auto-generated GCS buckets.

Encrypting the Auto-generated GCS Buckets with CMEKs

Use an encryption block to define the CMEK ID within the resource module google_storage_bucket.

encryption {
default_kms_key_name = local.kms_key_asiasouth1[0] // key-resource-id
}

Lifecycle Rules for Storage Bucket Objects

Specify rules wrt storage classes, age within resource module google_storage_bucket.

lifecycle_rule {
condition {
age = 30
}
action {
type = "SetStorageClass"
storage_class = "NEARLINE"
}
}
lifecycle_rule {
condition {
age = 90
}
action {
type = "SetStorageClass"
storage_class = "COLDLINE"
}
}
lifecycle_rule {
condition {
age = 365
}
action {
type = "SetStorageClass"
storage_class = "ARCHIVE"
}
}
lifecycle_rule {
condition {
age = 730
}
action {
type = "Delete"
}
}

Once lifecycle settings are applied on the storage bucket objects through terraform, The configuration contains a set of rules which will be applied to current and future objects in the bucket. When an object meets the criteria of one of the rules, Cloud Storage automatically performs a specified action on the object.

Reference for Auto-Generated Buckets

Managing Google Cloud Storage System Buckets

Happy Reading!!!