Skip to content

datasciencecampus/terraform-gcs-remote-state-bootstrap

BranchesTags

Repository files navigation

terraform-gcs-remote-state-bootstrap

About

This module provisions:

  • A Google Cloud Storage bucket for remote Terraform state
  • A separate logging bucket for audit/access logs
  • Encryption of the state bucket using a Customer-Managed Encryption Key (CMEK) via Google Cloud KMS

Important: You must have an existing KMS key (crypto key) set up in your project and provide its full resource ID to this module. The module does not create the KMS key for you. See the kms_key_resource_name input for the required format.

Prerequisites

Before using this module, you must:

  • Create a KMS key ring and crypto key in your GCP project. Note the full resource name of the crypto key (e.g., projects/[PROJECT_ID]/locations/[REGION]/keyRings/[KEY_RING_NAME]/cryptoKeys/[KEY_NAME]).
  • Activate the following APIs in your GCP project:
    • Cloud Storage API (storage.googleapis.com)
    • IAM API (iam.googleapis.com)

Recommended: Enable these APIs via Terraform:

resource "google_project_service" "required_services" {
  for_each = toset([
    "storage.googleapis.com",
    "iam.googleapis.com"
  ])
  project = var.project_id
  service = each.key
  disable_on_destroy = false
}

Example: Creating a KMS key (if you do not already have one)

resource "google_kms_key_ring" "state" {
  name     = "your-key-ring"
  location = "europe-west2"
  project  = var.project_id
}

resource "google_kms_crypto_key" "state" {
  name            = "your-crypto-key"
  key_ring        = google_kms_key_ring.state.id
  rotation_period = "100000s"
}

Usage Example

Minimal setup with placeholder values:

module "remote_state_bootstrap" {
  source  = "github.com/datasciencecampus/terraform-gcs-remote-state-bootstrap"
  version = "{VERSION}"

  project_id                      = "[YOUR_PROJECT_ID]"
  storage_object_viewer_principal = "user:someone@example.com"
  storage_object_admin_principal  = "user:someone@example.com"
  kms_key_resource_name           = "projects/PROJECT_ID/locations/REGION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME"
  # ...add any other required or optional variables
}

Note:

  • Replace all placeholder values with your actual GCP project and resource names.
  • You must authenticate with Google Cloud and have the necessary permissions to create resources.
  • Do not commit real credentials or sensitive data to your repository.

Requirements

Name Version
terraform >= 1.6.0
google >= 4.0.0

Providers

Name Version
google 7.23.0

Modules

No modules.

Resources

Name Type
google_kms_crypto_key_iam_member.storage_service_account resource
google_storage_bucket.logging resource
google_storage_bucket.state resource
google_storage_bucket_iam_member.logging_admin resource
google_storage_bucket_iam_member.logging_viewer resource
google_storage_bucket_iam_member.state_admin resource
google_storage_bucket_iam_member.state_viewer resource
google_project.current data source

Inputs

Name Description Type Default Required
bucket_location Location for the buckets. string "europe-west2" no
force_destroy Whether to force destroy the buckets (deleting all objects). Use with caution. bool false no
kms_key_resource_name The full resource name of the KMS key to use for bucket encryption, e.g. projects/[PROJECT_ID]/locations/[REGION]/keyRings/[KEY_RING_NAME]/cryptoKeys/[KEY_NAME]. string n/a yes
labels A map of labels to apply to the buckets. map(string) {} no
logging_bucket_name_override Name of the logging bucket. string "" no
logging_bucket_retention_days Number of days to retain objects in the logging bucket before automatic deletion. number 30 no
project_id The GCP project ID. string n/a yes
state_bucket_name_override Name of the remote state bucket. string "" no
state_bucket_version_retention_count Number of newer versions to retain in the state bucket before older versions are automatically deleted. number 5 no
storage_object_admin_principal The principal to be granted the Storage Object Admin role on the state bucket. Must be a valid IAM principal string, e.g.:
- user:someone@example.com
- group:admins@example.com
- serviceAccount:my-sa@project.iam.gserviceaccount.com
- domain:example.com		 string n/a yes
storage_object_viewer_principal The principal to be granted the Storage Object Viewer role on the state bucket. Must be a valid IAM principal string, e.g.:
- user:someone@example.com
- group:admins@example.com
- serviceAccount:my-sa@project.iam.gserviceaccount.com
- domain:example.com		 string n/a yes

Outputs

Name Description
logging_bucket_name The name of the logging bucket.
state_bucket_name The name of the remote state bucket.

About

Terraform module to bootstrap a secure GCS remote state backend with CMEK and logging.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 12

v1.1.1 Latest
Mar 16, 2026
+ 11 releases

Packages

 
 
 

Contributors

Languages