fix!: added concrete types for simple sa variables (#386)

Author: pawan1210

examples/simple_bucket/main.tf

@@ -22,6 +22,18 @@ module "bucket" {
   project_id = var.project_id
   location   = "us"
 
+  website = {
+    main_page_suffix = "index.html"
+    not_found_page   = "404.html"
+  }
+
+  cors = [{
+    origin          = ["http://image-store.com"]
+    method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
+    response_header = ["*"]
+    max_age_seconds = 3600
+  }]
+
   lifecycle_rules = [{
     action = {
       type = "Delete"

modules/simple_bucket/README.md

@@ -40,14 +40,14 @@ Functional examples are included in the
 |------|-------------|------|---------|:--------:|
 | autoclass | While set to true, autoclass is enabled for this bucket. | `bool` | `false` | no |
 | bucket\_policy\_only | Enables Bucket Policy Only access to a bucket. | `bool` | `true` | no |
-| cors | Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors. | `any` | `[]` | no |
+| cors | Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors. | <pre>list(object({<br>    origin          = optional(list(string))<br>    method          = optional(list(string))<br>    response_header = optional(list(string))<br>    max_age_seconds = optional(number)<br>  }))</pre> | `[]` | no |
 | custom\_placement\_config | Configuration of the bucket's custom location in a dual-region bucket setup. If the bucket is designated a single or multi-region, the variable are null. | <pre>object({<br>    data_locations = list(string)<br>  })</pre> | `null` | no |
 | encryption | A Cloud KMS key that will be used to encrypt objects inserted into this bucket. The key name should follow the format of `projects/<project-name>/locations/<location-name>/keyRings/<keyring-name>/cryptoKeys/<key-name>`. To use a Cloud KMS key automatically created by this module use the `internal_encryption_config` input variable. | <pre>object({<br>    default_kms_key_name = string<br>  })</pre> | `null` | no |
 | force\_destroy | When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. | `bool` | `false` | no |
 | iam\_members | The list of IAM members to grant permissions on the bucket. | <pre>list(object({<br>    role   = string<br>    member = string<br>  }))</pre> | `[]` | no |
 | internal\_encryption\_config | Configuration for the creation of an internal Google Cloud Key Management Service (KMS) Key for use as Customer-managed encryption key (CMEK) for the GCS Bucket<br>  instead of creating one in advance and providing the key in the variable `encryption.default_kms_key_name`.<br>  create\_encryption\_key: If `true` a Google Cloud Key Management Service (KMS) KeyRing and a Key will be created<br>  prevent\_destroy: Set the prevent\_destroy lifecycle attribute on keys.<br>  key\_destroy\_scheduled\_duration: Set the period of time that versions of keys spend in the `DESTROY_SCHEDULED` state before transitioning to `DESTROYED`.<br>  key\_rotation\_period: Generate a new key every time this period passes. | <pre>object({<br>    create_encryption_key          = optional(bool, false)<br>    prevent_destroy                = optional(bool, false)<br>    key_destroy_scheduled_duration = optional(string, null)<br>    key_rotation_period            = optional(string, "7776000s")<br>  })</pre> | `{}` | no |
 | labels | A set of key/value label pairs to assign to the bucket. | `map(string)` | `null` | no |
-| lifecycle\_rules | The bucket's Lifecycle Rules configuration. | <pre>list(object({<br>    # Object with keys:<br>    # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.<br>    # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.<br>    action = any<br><br>    # Object with keys:<br>    # - age - (Optional) Minimum age of an object in days to satisfy this condition.<br>    # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.<br>    # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".<br>    # - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.<br>    # - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.<br>    # - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition<br>    # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.<br>    condition = any<br>  }))</pre> | `[]` | no |
+| lifecycle\_rules | The bucket's Lifecycle Rules configuration. | <pre>list(object({<br>    # Object with keys:<br>    # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.<br>    # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.<br>    action = object({<br>      type          = string<br>      storage_class = optional(string)<br>    })<br><br>    # Object with keys:<br>    # - age - (Optional) Minimum age of an object in days to satisfy this condition.<br>    # - send_age_if_zero - (Optional) While set true, num_newer_versions value will be sent in the request even for zero value of the field.<br>    # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.<br>    # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".<br>    # - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.<br>    # - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.<br>    # - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition<br>    # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.<br>    # - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.<br>    # - days_since_custom_time - (Optional) Days since the date set in the customTime metadata for the object.<br>    # - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.<br>    # - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.<br>    condition = object({<br>      age                        = optional(number)<br>      send_age_if_zero           = optional(bool)<br>      created_before             = optional(string)<br>      with_state                 = optional(string)<br>      matches_storage_class      = optional(string)<br>      matches_prefix             = optional(string)<br>      matches_suffix             = optional(string)<br>      num_newer_versions         = optional(number)<br>      custom_time_before         = optional(string)<br>      days_since_custom_time     = optional(number)<br>      days_since_noncurrent_time = optional(number)<br>      noncurrent_time_before     = optional(string)<br>    })<br>  }))</pre> | `[]` | no |
 | location | The location of the bucket. See https://cloud.google.com/storage/docs/locations. | `string` | n/a | yes |
 | log\_bucket | The bucket that will receive log objects. | `string` | `null` | no |
 | log\_object\_prefix | The object prefix for log objects. If it's not provided, by default GCS sets this to this bucket's name | `string` | `null` | no |
@@ -58,7 +58,7 @@ Functional examples are included in the
 | soft\_delete\_policy | Soft delete policies to apply. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#nested_soft_delete_policy | <pre>object({<br>    retention_duration_seconds = optional(number)<br>  })</pre> | `{}` | no |
 | storage\_class | The Storage Class of the new bucket. | `string` | `null` | no |
 | versioning | While set to true, versioning is fully enabled for this bucket. | `bool` | `true` | no |
-| website | Map of website values. Supported attributes: main\_page\_suffix, not\_found\_page | `map(any)` | `{}` | no |
+| website | Map of website values. Supported attributes: main\_page\_suffix, not\_found\_page | <pre>object({<br>    main_page_suffix = optional(string)<br>    not_found_page   = optional(string)<br>  })</pre> | `{}` | no |
 
 ## Outputs
 

modules/simple_bucket/main.tf

@@ -53,7 +53,7 @@ resource "google_storage_bucket" "bucket" {
   }
 
   dynamic "website" {
-    for_each = length(keys(var.website)) == 0 ? toset([]) : toset([var.website])
+    for_each = (var.website.main_page_suffix == null && var.website.not_found_page == null) ? toset([]) : toset([var.website])
     content {
       main_page_suffix = lookup(website.value, "main_page_suffix", null)
       not_found_page   = lookup(website.value, "not_found_page", null)
@@ -89,9 +89,9 @@ resource "google_storage_bucket" "bucket" {
         send_age_if_zero           = lookup(lifecycle_rule.value.condition, "send_age_if_zero", null)
         created_before             = lookup(lifecycle_rule.value.condition, "created_before", null)
         with_state                 = lookup(lifecycle_rule.value.condition, "with_state", contains(keys(lifecycle_rule.value.condition), "is_live") ? (lifecycle_rule.value.condition["is_live"] ? "LIVE" : null) : null)
-        matches_storage_class      = contains(keys(lifecycle_rule.value.condition), "matches_storage_class") ? split(",", lifecycle_rule.value.condition["matches_storage_class"]) : null
-        matches_prefix             = contains(keys(lifecycle_rule.value.condition), "matches_prefix") ? split(",", lifecycle_rule.value.condition["matches_prefix"]) : null
-        matches_suffix             = contains(keys(lifecycle_rule.value.condition), "matches_suffix") ? split(",", lifecycle_rule.value.condition["matches_suffix"]) : null
+        matches_storage_class      = lifecycle_rule.value.condition["matches_storage_class"] != null ? split(",", lifecycle_rule.value.condition["matches_storage_class"]) : null
+        matches_prefix             = lifecycle_rule.value.condition["matches_prefix"] != null ? split(",", lifecycle_rule.value.condition["matches_prefix"]) : null
+        matches_suffix             = lifecycle_rule.value.condition["matches_suffix"] != null ? split(",", lifecycle_rule.value.condition["matches_suffix"]) : null
         num_newer_versions         = lookup(lifecycle_rule.value.condition, "num_newer_versions", null)
         custom_time_before         = lookup(lifecycle_rule.value.condition, "custom_time_before", null)
         days_since_custom_time     = lookup(lifecycle_rule.value.condition, "days_since_custom_time", null)

modules/simple_bucket/metadata.yaml

@@ -111,7 +111,13 @@ spec:
             })
       - name: cors
         description: Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors.
-        varType: any
+        varType: |-
+          list(object({
+              origin          = optional(list(string))
+              method          = optional(list(string))
+              response_header = optional(list(string))
+              max_age_seconds = optional(number)
+            }))
         defaultValue: []
       - name: encryption
         description: A Cloud KMS key that will be used to encrypt objects inserted into this bucket. The key name should follow the format of `projects/<project-name>/locations/<location-name>/keyRings/<keyring-name>/cryptoKeys/<key-name>`. To use a Cloud KMS key automatically created by this module use the `internal_encryption_config` input variable.
@@ -126,17 +132,38 @@ spec:
               # Object with keys:
               # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
               # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
-              action = any
+              action = object({
+                type          = string
+                storage_class = optional(string)
+              })
 
               # Object with keys:
               # - age - (Optional) Minimum age of an object in days to satisfy this condition.
+              # - send_age_if_zero - (Optional) While set true, num_newer_versions value will be sent in the request even for zero value of the field.
               # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
               # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
               # - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
               # - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.
               # - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition
               # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
-              condition = any
+              # - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.
+              # - days_since_custom_time - (Optional) Days since the date set in the customTime metadata for the object.
+              # - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.
+              # - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.
+              condition = object({
+                age                        = optional(number)
+                send_age_if_zero           = optional(bool)
+                created_before             = optional(string)
+                with_state                 = optional(string)
+                matches_storage_class      = optional(string)
+                matches_prefix             = optional(string)
+                matches_suffix             = optional(string)
+                num_newer_versions         = optional(number)
+                custom_time_before         = optional(string)
+                days_since_custom_time     = optional(number)
+                days_since_noncurrent_time = optional(number)
+                noncurrent_time_before     = optional(string)
+              })
             }))
         defaultValue: []
       - name: log_bucket
@@ -147,7 +174,11 @@ spec:
         varType: string
       - name: website
         description: "Map of website values. Supported attributes: main_page_suffix, not_found_page"
-        varType: map(any)
+        varType: |-
+          object({
+              main_page_suffix = optional(string)
+              not_found_page   = optional(string)
+            })
         defaultValue: {}
       - name: public_access_prevention
         description: Prevents public access to a bucket. Acceptable values are inherited or enforced. If inherited, the bucket uses public access prevention, only if the bucket is subject to the public access prevention organization policy constraint.

modules/simple_bucket/variables.tf

@@ -94,8 +94,13 @@ variable "custom_placement_config" {
 
 variable "cors" {
   description = "Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors."
-  type        = any
-  default     = []
+  type = list(object({
+    origin          = optional(list(string))
+    method          = optional(list(string))
+    response_header = optional(list(string))
+    max_age_seconds = optional(number)
+  }))
+  default = []
 }
 
 variable "encryption" {
@@ -112,17 +117,38 @@ variable "lifecycle_rules" {
     # Object with keys:
     # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
     # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
-    action = any
+    action = object({
+      type          = string
+      storage_class = optional(string)
+    })
 
     # Object with keys:
     # - age - (Optional) Minimum age of an object in days to satisfy this condition.
+    # - send_age_if_zero - (Optional) While set true, num_newer_versions value will be sent in the request even for zero value of the field.
     # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
     # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
     # - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
     # - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.
     # - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition
     # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
-    condition = any
+    # - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.
+    # - days_since_custom_time - (Optional) Days since the date set in the customTime metadata for the object.
+    # - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.
+    # - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.
+    condition = object({
+      age                        = optional(number)
+      send_age_if_zero           = optional(bool)
+      created_before             = optional(string)
+      with_state                 = optional(string)
+      matches_storage_class      = optional(string)
+      matches_prefix             = optional(string)
+      matches_suffix             = optional(string)
+      num_newer_versions         = optional(number)
+      custom_time_before         = optional(string)
+      days_since_custom_time     = optional(number)
+      days_since_noncurrent_time = optional(number)
+      noncurrent_time_before     = optional(string)
+    })
   }))
   default = []
 }
@@ -140,7 +166,10 @@ variable "log_object_prefix" {
 }
 
 variable "website" {
-  type        = map(any)
+  type = object({
+    main_page_suffix = optional(string)
+    not_found_page   = optional(string)
+  })
   default     = {}
   description = "Map of website values. Supported attributes: main_page_suffix, not_found_page"
 }