feat!: add hierarchical namespace flag (#375)

Co-authored-by: Awais Malik <awmalik@google.com>

Author: xaviermanachwebedia2

README.md

@@ -63,6 +63,7 @@ Functional examples are included in the
 | encryption\_key\_names | Optional map of lowercase unprefixed name => string, empty strings are ignored. | `map(string)` | `{}` | no |
 | folders | Map of lowercase unprefixed name => list of top level folder objects. | `map(list(string))` | `{}` | no |
 | force\_destroy | Optional map of lowercase unprefixed name => boolean, defaults to false. | `map(bool)` | `{}` | no |
+| hierarchical\_namespace | Optional map of lowercase unprefixed bucket name => boolean, defaults to false. | `map(bool)` | `{}` | no |
 | hmac\_key\_admins | IAM-style members who will be granted roles/storage.hmacKeyAdmin on all buckets. | `list(string)` | `[]` | no |
 | hmac\_service\_accounts | List of HMAC service accounts to grant access to GCS. | `map(string)` | `{}` | no |
 | labels | Labels to be attached to the buckets | `map(string)` | `{}` | no |

main.tf

@@ -76,6 +76,13 @@ resource "google_storage_bucket" "buckets" {
       false,
     )
   }
+  hierarchical_namespace {
+    enabled = lookup(
+      var.hierarchical_namespace,
+      lower(each.value),
+      false,
+    )
+  }
   # Having a permanent encryption block with default_kms_key_name = "" works but results in terraform applying a change every run
   # There is no enabled = false attribute available to ask terraform to ignore the block
   dynamic "encryption" {

metadata.display.yaml

@@ -75,6 +75,9 @@ spec:
         force_destroy:
           name: force_destroy
           title: Force Destroy
+        hierarchical_namespace:
+          name: hierarchical_namespace
+          title: Hierarchical Namespace
         hmac_key_admins:
           name: hmac_key_admins
           title: Hmac Key Admins

metadata.yaml

@@ -76,6 +76,10 @@ spec:
         description: Optional map of lowercase unprefixed bucket name => boolean, defaults to false.
         varType: map(bool)
         defaultValue: {}
+      - name: hierarchical_namespace
+        description: Optional map of lowercase unprefixed bucket name => boolean, defaults to false.
+        varType: map(bool)
+        defaultValue: {}
       - name: encryption_key_names
         description: Optional map of lowercase unprefixed name => string, empty strings are ignored.
         varType: map(string)
@@ -330,6 +334,11 @@ spec:
               - - object
                 - default_kms_key_name: string
             force_destroy: bool
+            hierarchical_namespace:
+              - list
+              - - object
+                - enabled: bool
+                  terminal_storage_class: string
             id: string
             labels:
               - map
@@ -448,6 +457,11 @@ spec:
                   - - object
                     - default_kms_key_name: string
                 force_destroy: bool
+                hierarchical_namespace:
+                  - list
+                  - - object
+                    - enabled: bool
+                      terminal_storage_class: string
                 id: string
                 labels:
                   - map
@@ -567,6 +581,11 @@ spec:
                   - - object
                     - default_kms_key_name: string
                 force_destroy: bool
+                hierarchical_namespace:
+                  - list
+                  - - object
+                    - enabled: bool
+                      terminal_storage_class: string
                 id: string
                 labels:
                   - map

modules/simple_bucket/README.md

@@ -44,6 +44,7 @@ Functional examples are included in the
 | custom\_placement\_config | Configuration of the bucket's custom location in a dual-region bucket setup. If the bucket is designated a single or multi-region, the variable are null. | <pre>object({<br>    data_locations = list(string)<br>  })</pre> | `null` | no |
 | encryption | A Cloud KMS key that will be used to encrypt objects inserted into this bucket. The key name should follow the format of `projects/<project-name>/locations/<location-name>/keyRings/<keyring-name>/cryptoKeys/<key-name>`. To use a Cloud KMS key automatically created by this module use the `internal_encryption_config` input variable. | <pre>object({<br>    default_kms_key_name = string<br>  })</pre> | `null` | no |
 | force\_destroy | When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. | `bool` | `false` | no |
+| hierarchical\_namespace | When set to true, hierarchical namespace is enable for this bucket. | `bool` | `false` | no |
 | iam\_members | The list of IAM members to grant permissions on the bucket. | <pre>list(object({<br>    role   = string<br>    member = string<br>  }))</pre> | `[]` | no |
 | internal\_encryption\_config | Configuration for the creation of an internal Google Cloud Key Management Service (KMS) Key for use as Customer-managed encryption key (CMEK) for the GCS Bucket<br>  instead of creating one in advance and providing the key in the variable `encryption.default_kms_key_name`.<br>  create\_encryption\_key: If `true` a Google Cloud Key Management Service (KMS) KeyRing and a Key will be created<br>  prevent\_destroy: Set the prevent\_destroy lifecycle attribute on keys.<br>  key\_destroy\_scheduled\_duration: Set the period of time that versions of keys spend in the `DESTROY_SCHEDULED` state before transitioning to `DESTROYED`.<br>  key\_rotation\_period: Generate a new key every time this period passes. | <pre>object({<br>    create_encryption_key          = optional(bool, false)<br>    prevent_destroy                = optional(bool, false)<br>    key_destroy_scheduled_duration = optional(string, null)<br>    key_rotation_period            = optional(string, "7776000s")<br>  })</pre> | `{}` | no |
 | labels | A set of key/value label pairs to assign to the bucket. | `map(string)` | `null` | no |

modules/simple_bucket/main.tf

@@ -37,6 +37,10 @@ resource "google_storage_bucket" "bucket" {
     enabled = var.autoclass
   }
 
+  hierarchical_namespace {
+    enabled = var.hierarchical_namespace
+  }
+
   dynamic "retention_policy" {
     for_each = var.retention_policy == null ? [] : [var.retention_policy]
     content {

modules/simple_bucket/metadata.display.yaml

@@ -49,6 +49,10 @@ spec:
         force_destroy:
           name: force_destroy
           title: Force Destroy
+          invisible: false
+        hierarchical_namespace:
+          name: hierarchical_namespace
+          title: Hierarchical Namespace
         iam_members:
           name: iam_members
           title: Iam Members

modules/simple_bucket/metadata.yaml

@@ -96,6 +96,10 @@ spec:
         description: While set to true, autoclass is enabled for this bucket.
         varType: bool
         defaultValue: false
+      - name: hierarchical_namespace
+        description: While set to true, hierarchical namespace is enabled for this bucket.
+        varType: bool
+        defaultValue: false
       - name: retention_policy
         description: Configuration of the bucket's data retention policy for how long objects in the bucket should be retained.
         varType: |-
@@ -247,6 +251,11 @@ spec:
               - - object
                 - default_kms_key_name: string
             force_destroy: bool
+            hierarchical_namespace:
+              - list
+              - - object
+                - enabled: bool
+                  terminal_storage_class: string
             id: string
             labels:
               - map

modules/simple_bucket/variables.tf

@@ -75,6 +75,12 @@ variable "autoclass" {
   default     = false
 }
 
+variable "hierarchical_namespace" {
+  description = "When set to true, hierarchical namespace is enable for this bucket."
+  type        = bool
+  default     = false
+}
+
 variable "retention_policy" {
   description = "Configuration of the bucket's data retention policy for how long objects in the bucket should be retained."
   type = object({

modules/simple_bucket/versions.tf

@@ -20,7 +20,7 @@ terraform {
 
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.43.0, < 7"
+      version = ">= 6.9.0, < 7"
     }
   }