diff --git a/build/terraform b/build/terraform index 4458b4963585..607ed8c4cae4 160000 --- a/build/terraform +++ b/build/terraform @@ -1 +1 @@ -Subproject commit 4458b4963585b584e6941ee31eb3714909692be7 +Subproject commit 607ed8c4cae47aa8ea48ac7fe1f4485d944def2b diff --git a/build/terraform-beta b/build/terraform-beta index 01a5d636631a..d84702082cda 160000 --- a/build/terraform-beta +++ b/build/terraform-beta @@ -1 +1 @@ -Subproject commit 01a5d636631ae1fe79179907f3110b0d5a8a0349 +Subproject commit d84702082cdab8c7fb0466e6bc6a7c4aa6c34fe4 diff --git a/third_party/terraform/resources/resource_storage_bucket.go b/third_party/terraform/resources/resource_storage_bucket.go index 2b17c01f2c89..10e8611bdbbb 100644 --- a/third_party/terraform/resources/resource_storage_bucket.go +++ b/third_party/terraform/resources/resource_storage_bucket.go @@ -261,6 +261,11 @@ func resourceStorageBucket() *schema.Resource { }, }, }, + "bucket_policy_only": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, }, } } @@ -279,9 +284,10 @@ func resourceStorageBucketCreate(d *schema.ResourceData, meta interface{}) error // Create a bucket, setting the labels, location and name. sb := &storage.Bucket{ - Name: bucket, - Labels: expandLabels(d), - Location: location, + Name: bucket, + Labels: expandLabels(d), + Location: location, + IamConfiguration: expandIamConfiguration(d), } if v, ok := d.GetOk("storage_class"); ok { @@ -455,6 +461,10 @@ func resourceStorageBucketUpdate(d *schema.ResourceData, meta interface{}) error } } + if d.HasChange("bucket_policy_only") { + sb.IamConfiguration = expandIamConfiguration(d) + } + res, err := config.clientStorage.Buckets.Patch(d.Get("name").(string), sb).Do() if err != nil { @@ -514,6 +524,7 @@ func resourceStorageBucketRead(d *schema.ResourceData, meta interface{}) error { d.Set("versioning", flattenBucketVersioning(res.Versioning)) d.Set("lifecycle_rule", flattenBucketLifecycle(res.Lifecycle)) d.Set("labels", res.Labels) + d.Set("bucket_policy_only", res.IamConfiguration.BucketPolicyOnly.Enabled) if res.Billing == nil { d.Set("requester_pays", nil) @@ -783,6 +794,16 @@ func flattenBucketLifecycleRuleCondition(condition *storage.BucketLifecycleRuleC return ruleCondition } +func expandIamConfiguration(d *schema.ResourceData) *storage.BucketIamConfiguration { + iamConfig := &storage.BucketIamConfiguration{} + if v, ok := d.GetOk("bucket_policy_only"); ok { + iamConfig.BucketPolicyOnly = &storage.BucketIamConfigurationBucketPolicyOnly{ + Enabled: v.(bool), + } + } + return iamConfig +} + func expandStorageBucketLifecycle(v interface{}) (*storage.BucketLifecycle, error) { if v == nil { return &storage.BucketLifecycle{ diff --git a/third_party/terraform/tests/resource_storage_bucket_test.go b/third_party/terraform/tests/resource_storage_bucket_test.go index 48c2d3e1a9c1..68bd9fcd2c44 100644 --- a/third_party/terraform/tests/resource_storage_bucket_test.go +++ b/third_party/terraform/tests/resource_storage_bucket_test.go @@ -762,6 +762,35 @@ func TestAccStorageBucket_encryption(t *testing.T) { }) } +func TestAccStorageBucket_bucketPolicyOnly(t *testing.T) { + t.Parallel() + + bucketName := fmt.Sprintf("tf-test-acl-bucket-%d", acctest.RandInt()) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccStorageBucket_bucketPolicyOnly(bucketName, false), + }, + { + ResourceName: "google_storage_bucket.bucket", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccStorageBucket_bucketPolicyOnly(bucketName, true), + }, + { + ResourceName: "google_storage_bucket.bucket", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccStorageBucket_labels(t *testing.T) { t.Parallel() @@ -1249,6 +1278,15 @@ resource "google_storage_bucket" "bucket" { `, bucketName) } +func testAccStorageBucket_bucketPolicyOnly(bucketName string, enabled bool) string { + return fmt.Sprintf(` +resource "google_storage_bucket" "bucket" { + name = "%s" + bucket_policy_only = %t +} +`, bucketName, enabled) +} + func testAccStorageBucket_encryption(context map[string]interface{}) string { return Nprintf(` resource "google_project" "acceptance" { diff --git a/third_party/terraform/website/docs/r/storage_bucket.html.markdown b/third_party/terraform/website/docs/r/storage_bucket.html.markdown index 41bcc58f7b9b..bd84ee7394d1 100644 --- a/third_party/terraform/website/docs/r/storage_bucket.html.markdown +++ b/third_party/terraform/website/docs/r/storage_bucket.html.markdown @@ -73,6 +73,8 @@ The following arguments are supported: * `requester_pays` - (Optional, Default: false) Enables [Requester Pays](https://cloud.google.com/storage/docs/requester-pays) on a storage bucket. +* `bucket_policy_only` - (Optional, Default: false) Enables [Bucket Policy Only](https://cloud.google.com/storage/docs/bucket-policy-only) access to a bucket. + The `lifecycle_rule` block supports: * `action` - (Required) The Lifecycle Rule's action configuration. A single block of this type is supported. Structure is documented below.