Cloud Storage Bucket

gcp-gcs-bucket

Hardened GCS bucket with uniform access, versioning, lifecycle/soft-delete policies, CMEK and least-privilege IAM. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Secure defaults:

• Uniform bucket-level access always on (no object ACLs to drift)
• public_access_prevention = "enforced" — and the module rejects allUsers / allAuthenticatedUsers IAM members at plan time
• Object versioning on, paired with a default lifecycle rule keeping the 10 newest noncurrent versions and aborting stale multipart uploads after 7 days
• Soft delete at GCP's 7-day default (tunable 7-90 days, or 0 to disable)
• Optional CMEK, Autoclass, WORM retention and access logging

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/google >= 7.0, < 8.0

Notes for integrators:

• CMEK: grant the Cloud Storage service agent (service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com) roles/cloudkms.cryptoKeyEncrypterDecrypter on the key before enabling, or bucket creation fails.
• Retention lock: retention_policy.is_locked = true is irreversible — the bucket cannot be deleted until every object exceeds the retention period.
• Autoclass requires storage_class = "STANDARD"; the module enforces this at plan time.
• The IAM map uses static keys, so member values may be unknown at plan time (e.g. another module's service-account output).

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).