Syntax

A google_storage_bucket is used to test a Google Bucket resource

Examples

describe google_storage_bucket(name: bucket-name) do
  it { should exist }
  its('location') { should cmp 'europe-west2'.upcase }

  its('storage_class') { should eq "STANDARD" }
  its('labels') { should include("key" => "value") }
  its('retention_policy.retention_period') { should cmp 1000 }
end

describe google_storage_bucket(name: "nonexistent") do
  it { should_not exist }
end

Test that a GCP storage bucket is in the expected location

describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
  its('location') { should eq "EUROPE-WEST2" }
end

Test that a GCP storage bucket has the expected project number

describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
  its('project_number') {should eq 12345678 }
end

Test that a GCP storage bucket has the expected storage class

describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
  its('storage_class') { should eq 'STANDARD' }
end

Properties

Properties that can be accessed from the google_storage_bucket resource:

  • acl: Access controls on the bucket.

    • bucket: The name of the bucket.
    • domain: The domain associated with the entity.
    • email: The email address associated with the entity.
    • entity: The entity holding the permission, in one of the following forms: user-userId user-email group-groupId group-email domain-domain project-team-projectId allUsers allAuthenticatedUsers Examples: The user liz@example.com would be user-liz@example.com. The group example@googlegroups.com would be group-example@googlegroups.com. To refer to all members of the Google Apps for Business domain example.com, the entity would be domain-example.com.
    • entity_id: The ID for the entity
    • id: The ID of the access-control entry.
    • project_team: The project team associated with the entity
      • project_number: The project team associated with the entity
      • team: The team. Possible values:
      • editors
      • owners
      • viewers
    • role: The access permission for the entity. Possible values:
      • OWNER
      • READER
      • WRITER
  • cors: The bucket’s Cross-Origin Resource Sharing (CORS) configuration.

    • max_age_seconds: The value, in seconds, to return in the Access-Control-Max-Age header used in preflight responses.
    • method: The list of HTTP methods on which to include CORS response headers, (GET, OPTIONS, POST, etc) Note: “*” is permitted in the list of methods, and means “any method”.
    • origin: The list of Origins eligible to receive CORS response headers. Note: “*” is permitted in the list of origins, and means “any Origin”.
    • response_header: The list of HTTP headers other than the simple response headers to give permission for the user-agent to share across domains.
  • default_event_based_hold: Whether or not to automatically apply an eventBasedHold to new objects added to the bucket.

  • default_object_acl: Default access controls to apply to new objects when no ACL is provided.

    • bucket: The name of the bucket.
    • domain: The domain associated with the entity.
    • email: The email address associated with the entity.
    • entity: The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as “user-liz@example.com”) * group-{{groupId}} * group-{{email}} (such as “group-example@googlegroups.com”) * domain-{{domain}} (such as “domain-example.com”) * project-team-{{projectId}} * allUsers * allAuthenticatedUsers
    • entity_id: The ID for the entity
    • generation: The content generation of the object, if applied to an object.
    • id: The ID of the access-control entry.
    • object: The name of the object, if applied to an object.
    • project_team: The project team associated with the entity
      • project_number: The project team associated with the entity
      • team: The team. Possible values:
      • editors
      • owners
      • viewers
    • role: The access permission for the entity. Possible values:
      • OWNER
      • READER
  • id: The ID of the bucket. For buckets, the id and name properities are the same.

  • lifecycle: The bucket’s lifecycle configuration. See https://developers.google.com/storage/docs/lifecycle for more information.

    • rule: A lifecycle management rule, which is made of an action to take and the condition(s) under which the action will be taken.

      • action: The action to take.
      • storage_class: Target storage class. Required iff the type of the action is SetStorageClass.
      • type: Type of the action. Currently, only Delete and SetStorageClass are supported. Possible values:
        • Delete
        • SetStorageClass
      • condition: The condition(s) under which the action will be taken.
      • age_days: Age of an object (in days). This condition is satisfied when an object reaches the specified age.
      • created_before: A date in RFC 3339 format with only the date part (for instance, “2013-01-15”). This condition is satisfied when an object is created before midnight of the specified date in UTC.
      • is_live: Relevant only for versioned objects. If the value is true, this condition matches live objects; if the value is false, it matches archived objects.
      • matches_storage_class: Objects having any of the storage classes specified by this condition will be matched. Values include MULTIREGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, and DURABLEREDUCED_AVAILABILITY.
      • num_newer_versions: Relevant only for versioned objects. If the value is N, this condition is satisfied when there are at least N versions (including the live version) newer than this version of the object.
  • location: The location of the bucket. Object data for objects in the bucket resides in physical storage within this region. Defaults to US. See the developer’s guide for the authoritative list.

  • logging: The bucket’s logging configuration, which defines the destination bucket and optional name prefix for the current bucket’s logs.

    • log_bucket: The destination bucket where the current bucket’s logs should be placed.
    • log_object_prefix: A prefix for log object names.
  • metageneration: The metadata generation of this bucket.

  • name: The name of the bucket

  • owner: The owner of the bucket. This is always the project team’s owner group.

    • entity: The entity, in the form project-owner-projectId.
    • entity_id: The ID for the entity.
  • project_number: The project number of the project the bucket belongs to.

  • storage_class: The bucket’s default storage class, used whenever no storageClass is specified for a newly-created object. This defines how objects in the bucket are stored and determines the SLA and the cost of storage. Values include MULTIREGIONAL, REGIONAL, STANDARD, NEARLINE, COLDLINE, and DURABLEREDUCED_AVAILABILITY. If this value is not specified when the bucket is created, it will default to STANDARD. For more information, see storage classes. Possible values:

    • MULTI_REGIONAL
    • REGIONAL
    • STANDARD
    • NEARLINE
    • COLDLINE
    • DURABLEREDUCEDAVAILABILITY
  • time_created: The creation time of the bucket in RFC 3339 format.

  • updated: The modification time of the bucket in RFC 3339 format.

  • versioning: The bucket’s versioning configuration.

    • enabled: While set to true, versioning is fully enabled for this bucket.
  • website: The bucket’s website configuration, controlling how the service behaves when accessing bucket contents as a web site. See the Static Website Examples for more information.

    • main_page_suffix: If the requested object path is missing, the service will ensure the path has a trailing ‘/’, append this suffix, and attempt to retrieve the resulting object. This allows the creation of index.html objects to represent directory pages.
    • not_found_page: If the requested object path is missing, and any mainPageSuffix object is missing, if applicable, the service will return the named object from this bucket as the content for a 404 Not Found result.
  • labels: Labels applied to this bucket. A list of key->value pairs.

  • encryption: Encryption configuration for the bucket

    • default_kms_key_name: A Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified.
  • retention_policy: Retention policy for the bucket

    • effective_time: The time from which the retention policy was effective
    • is_locked: If the retention policy is locked. If true, the retention policy cannot be removed and the period cannot be reduced.
    • retention_period: The period of time, in seconds, that objects in the bucket must be retained and cannot be deleted, overwritten, or made noncurrent.
  • project: A valid API project identifier.

  • predefined_default_object_acl: Apply a predefined set of default object access controls to this bucket. Acceptable values are: - “authenticatedRead”: Object owner gets OWNER access, and allAuthenticatedUsers get READER access. - “bucketOwnerFullControl”: Object owner gets OWNER access, and project team owners get OWNER access. - “bucketOwnerRead”: Object owner gets OWNER access, and project team owners get READER access. - “private”: Object owner gets OWNER access. - “projectPrivate”: Object owner gets OWNER access, and project team members get access according to their roles. - “publicRead”: Object owner gets OWNER access, and allUsers get READER access. Possible values:

    • authenticatedRead
    • bucketOwnerFullControl
    • bucketOwnerRead
    • private
    • projectPrivate
    • publicRead

GCP Permissions

Ensure the Google Cloud Storage is enabled for the current project.