From e5e49094165ce876479f6a852889b17726807caa Mon Sep 17 00:00:00 2001
From: Vladislav Kamlov <kamlov.vladislav@gmail.com>
Date: Tue, 21 Mar 2023 18:28:55 +0200
Subject: [PATCH] feat: Hmac access (#181)

---
 .gitignore   |  3 +++
 README.md    |  3 +++
 main.tf      |  7 +++++++
 outputs.tf   |  6 ++++++
 variables.tf | 12 ++++++++++++
 5 files changed, 31 insertions(+)

diff --git a/.gitignore b/.gitignore
index 1df41d63..24d15afa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,9 @@
 # OSX leaves these everywhere on SMB shares
 ._*
 
+# VS Code
+.vscode
+
 # OSX trash
 .DS_Store
 
diff --git a/README.md b/README.md
index 0dbb8fe0..6f3d00f6 100644
--- a/README.md
+++ b/README.md
@@ -63,6 +63,7 @@ Functional examples are included in the
 | folders | Map of lowercase unprefixed name => list of top level folder objects. | `map(list(string))` | `{}` | no |
 | force\_destroy | Optional map of lowercase unprefixed name => boolean, defaults to false. | `map(bool)` | `{}` | no |
 | hmac\_key\_admins | IAM-style members who will be granted roles/storage.hmacKeyAdmin on all buckets. | `list(string)` | `[]` | no |
+| hmac\_service\_accounts | List of HMAC service accounts to grant access to GCS. | `map(string)` | `{}` | no |
 | labels | Labels to be attached to the buckets | `map(string)` | `{}` | no |
 | lifecycle\_rules | List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches\_storage\_class should be a comma delimited string. | <pre>set(object({<br>    # Object with keys:<br>    # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.<br>    # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.<br>    action = map(string)<br><br>    # Object with keys:<br>    # - age - (Optional) Minimum age of an object in days to satisfy this condition.<br>    # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.<br>    # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".<br>    # - matches_storage_class - (Optional) Comma delimited string for storage class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.<br>    # - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.<br>    # - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition.<br>    # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.<br>    # - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.<br>    # - days_since_custom_time - (Optional) The number of days from the Custom-Time metadata attribute after which this condition becomes true.<br>    # - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.<br>    # - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.<br>    condition = map(string)<br>  }))</pre> | `[]` | no |
 | location | Bucket location. | `string` | `"EU"` | no |
@@ -75,6 +76,7 @@ Functional examples are included in the
 | retention\_policy | Map of retention policy values. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket#retention_policy | `any` | `{}` | no |
 | set\_admin\_roles | Grant roles/storage.objectAdmin role to admins and bucket\_admins. | `bool` | `false` | no |
 | set\_creator\_roles | Grant roles/storage.objectCreator role to creators and bucket\_creators. | `bool` | `false` | no |
+| set\_hmac\_access | Set S3 compatible access to GCS. | `bool` | `false` | no |
 | set\_hmac\_key\_admin\_roles | Grant roles/storage.hmacKeyAdmin role to hmac\_key\_admins and bucket\_hmac\_key\_admins. | `bool` | `false` | no |
 | set\_storage\_admin\_roles | Grant roles/storage.admin role to storage\_admins and bucket\_storage\_admins. | `bool` | `false` | no |
 | set\_viewer\_roles | Grant roles/storage.objectViewer role to viewers and bucket\_viewers. | `bool` | `false` | no |
@@ -91,6 +93,7 @@ Functional examples are included in the
 | bucket | Bucket resource (for single use). |
 | buckets | Bucket resources as list. |
 | buckets\_map | Bucket resources by name. |
+| hmac\_keys | List of HMAC keys. |
 | name | Bucket name (for single use). |
 | names | Bucket names. |
 | names\_list | List of bucket names. |
diff --git a/main.tf b/main.tf
index c0f2b8d5..1d28ec12 100644
--- a/main.tf
+++ b/main.tf
@@ -230,3 +230,10 @@ resource "google_storage_bucket_object" "folders" {
   name     = "${each.value.folder}/" # Declaring an object with a trailing '/' creates a directory
   content  = "foo"                   # Note that the content string isn't actually used, but is only there since the resource requires it
 }
+
+resource "google_storage_hmac_key" "hmac_keys" {
+  project               = var.project_id
+  for_each              = var.set_hmac_access ? var.hmac_service_accounts : {}
+  service_account_email = each.key
+  state                 = each.value
+}
diff --git a/outputs.tf b/outputs.tf
index 6e32d29a..e9600ce0 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -62,3 +62,9 @@ output "urls_list" {
   description = "List of bucket URLs."
   value       = local.buckets_list[*].url
 }
+
+output "hmac_keys" {
+  description = "List of HMAC keys."
+  value       = google_storage_hmac_key.hmac_keys[*]
+  sensitive   = true
+}
diff --git a/variables.tf b/variables.tf
index cc238d0b..5a8df373 100644
--- a/variables.tf
+++ b/variables.tf
@@ -260,6 +260,18 @@ variable "logging" {
   default     = {}
 }
 
+variable "set_hmac_access" {
+  description = "Set S3 compatible access to GCS."
+  type        = bool
+  default     = false
+}
+
+variable "hmac_service_accounts" {
+  description = "List of HMAC service accounts to grant access to GCS."
+  type        = map(string)
+  default     = {}
+}
+
 variable "public_access_prevention" {
   description = "Prevents public access to a bucket. Acceptable values are inherited or enforced. If inherited, the bucket uses public access prevention, only if the bucket is subject to the public access prevention organization policy constraint."
   type        = string