Merge pull request gruntwork-io#1034 from chrissng/gcs-bucket-policy-…

…only Allow creating GCS remote state bucket with Bucket Policy Only
kujon · Feb 18, 2020 · ef761c3 · ef761c3
2 parents fb099f4 + f11258a
commit ef761c3
Show file tree

Hide file tree

Showing 5 changed files with 164 additions and 21 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -31,11 +31,11 @@
 
 [[constraint]]
   name = "cloud.google.com/go"
-  version = "0.35.1"
+  version = "0.53.0"
 
 [[constraint]]
-  branch = "master"
   name = "google.golang.org/api"
+  version = "0.16.0"
 
 [[constraint]]
   name = "github.com/go-errors/errors"

diff --git a/docs/_docs/02_features/keep-your-remote-state-configuration-dry.md b/docs/_docs/02_features/keep-your-remote-state-configuration-dry.md
@@ -256,10 +256,12 @@ remote_state {
 
  skip_bucket_versioning = true # use only if the object store does not support versioning
 
+ enable_bucket_policy_only = false # use only if uniform bucket-level access is needed (https://cloud.google.com/storage/docs/uniform-bucket-level-access)
+
  encryption_key = "GOOGLE_ENCRYPTION_KEY"
 }
 ```
 
 If you experience an error for any of these configurations, confirm you are using Terraform v0.12.0 or greater.
 
-Further, the config options `gcs_bucket_labels` and `skip_bucket_versioning` are only valid for the backend `gcs`. They are used by terragrunt and are **not** passed on to terraform. See section [Create remote state and locking resources automatically](#create-remote-state-and-locking-resources-automatically).
+Further, the config options `gcs_bucket_labels`, `skip_bucket_versioning` and `enable_bucket_policy_only` are only valid for the backend `gcs`. They are used by terragrunt and are **not** passed on to terraform. See section [Create remote state and locking resources automatically](#create-remote-state-and-locking-resources-automatically).
diff --git a/docs/_docs/04_reference/config-blocks-and-attributes.md b/docs/_docs/04_reference/config-blocks-and-attributes.md
@@ -215,6 +215,7 @@ For the `gcs` backend, the following additional properties are supported in the
 - `skip_bucket_creation`: When `true`, Terragrunt will skip the auto initialization routine for setting up the GCS
   bucket for use with remote state.
 - `skip_bucket_versioning`: When `true`, the GCS bucket that is created to store the state will not be versioned.
+- `enable_bucket_policy_only`: When `true`, the GCS bucket that is created to store the state will be configured to use uniform bucket-level access.
 - `project`: The GCP project where the bucket will be created.
 - `location`: The GCP location where the bucket will be created.
 - `gcs_bucket_labels`: A map of key value pairs to associate as labels on the created GCS bucket.

diff --git a/remote/remote_state_gcs.go b/remote/remote_state_gcs.go
@@ -28,11 +28,12 @@ import (
 type ExtendedRemoteStateConfigGCS struct {
 	remoteStateConfigGCS RemoteStateConfigGCS
 
-	Project              string            `mapstructure:"project"`
-	Location             string            `mapstructure:"location"`
-	GCSBucketLabels      map[string]string `mapstructure:"gcs_bucket_labels"`
-	SkipBucketVersioning bool              `mapstructure:"skip_bucket_versioning"`
-	SkipBucketCreation   bool              `mapstructure:"skip_bucket_creation"`
+	Project                string            `mapstructure:"project"`
+	Location               string            `mapstructure:"location"`
+	GCSBucketLabels        map[string]string `mapstructure:"gcs_bucket_labels"`
+	SkipBucketVersioning   bool              `mapstructure:"skip_bucket_versioning"`
+	SkipBucketCreation     bool              `mapstructure:"skip_bucket_creation"`
+	EnableBucketPolicyOnly bool              `mapstructure:"enable_bucket_policy_only"`
 }
 
 // These are settings that can appear in the remote_state config that are ONLY used by Terragrunt and NOT forwarded
@@ -43,6 +44,7 @@ var terragruntGCSOnlyConfigs = []string{
 	"gcs_bucket_labels",
 	"skip_bucket_versioning",
 	"skip_bucket_creation",
+	"enable_bucket_policy_only",
 }
 
 // A representation of the configuration options available for GCS remote state
@@ -357,6 +359,11 @@ func CreateGCSBucket(gcsClient *storage.Client, config *ExtendedRemoteStateConfi
 		bucketAttrs.VersioningEnabled = true
 	}
 
+	if config.EnableBucketPolicyOnly {
+		terragruntOptions.Logger.Printf("Enabling uniform bucket-level access on GCS bucket %s", config.remoteStateConfigGCS.Bucket)
+		bucketAttrs.BucketPolicyOnly = storage.BucketPolicyOnly{Enabled: true}
+	}
+
 	err := bucket.Create(ctx, projectID, bucketAttrs)
 	return errors.WithStackTrace(err)
 }