feat: add lock in logging bucket (#189)

imrannayer · web-flow · commit fd276c307245 · 2023-11-08T09:26:27.000-06:00
diff --git a/examples/logbucket/project/main.tf b/examples/logbucket/project/main.tf
@@ -15,7 +15,7 @@
  */
 
 resource "random_string" "suffix" {
-  length  = 4
+  length  = 6
   upper   = false
   special = false
 }
@@ -33,7 +33,7 @@ module "log_export" {
 module "destination" {
   source                     = "../../..//modules/logbucket"
   project_id                 = var.project_destination_logbkt_id
-  name                       = "logbucket_from_other_project_${random_string.suffix.result}"
+  name                       = "logbucket_from_other_prj_${random_string.suffix.result}"
   location                   = "global"
   enable_analytics           = true
   linked_dataset_id          = "log_analytics_dataset"
diff --git a/modules/bigquery/main.tf b/modules/bigquery/main.tf
@@ -30,9 +30,10 @@ locals {
 # API activation #
 #----------------#
 resource "google_project_service" "enable_destination_api" {
-  project            = var.project_id
-  service            = "bigquery.googleapis.com"
-  disable_on_destroy = false
+  project                    = var.project_id
+  service                    = "bigquery.googleapis.com"
+  disable_on_destroy         = false
+  disable_dependent_services = false
 }
 
 #------------------#
diff --git a/modules/logbucket/README.md b/modules/logbucket/README.md
@@ -42,6 +42,7 @@ module "destination" {
 | linked\_dataset\_description | A use-friendly description of the linked BigQuery dataset. The maximum length of the description is 8000 characters. | `string` | `null` | no |
 | linked\_dataset\_id | The ID of the linked BigQuery dataset. A valid link dataset ID must only have alphanumeric characters and underscores within it and have up to 100 characters. | `string` | `null` | no |
 | location | The location of the log bucket. | `string` | `"global"` | no |
+| locked | (Optional) Whether the bucket is locked. The retention period on a locked bucket cannot be changed. Locked buckets may only be deleted if they are empty | `bool` | `null` | no |
 | log\_sink\_writer\_identity | The service account that logging uses to write log entries to the destination. (This is available as an output coming from the root module). | `string` | n/a | yes |
 | name | The name of the log bucket to be created and used for log entries matching the filter. | `string` | n/a | yes |
 | project\_id | The ID of the project in which the log bucket will be created. | `string` | n/a | yes |
diff --git a/modules/logbucket/main.tf b/modules/logbucket/main.tf
@@ -23,9 +23,10 @@ locals {
 # API activation #
 #----------------#
 resource "google_project_service" "enable_destination_api" {
-  project            = var.project_id
-  service            = "logging.googleapis.com"
-  disable_on_destroy = false
+  project                    = var.project_id
+  service                    = "logging.googleapis.com"
+  disable_on_destroy         = false
+  disable_dependent_services = false
 }
 
 #------------#
@@ -38,6 +39,7 @@ resource "google_logging_project_bucket_config" "bucket" {
   retention_days   = var.retention_days
   enable_analytics = var.enable_analytics
   bucket_id        = var.name
+  locked           = var.locked
 }
 
 #-------------------------#
diff --git a/modules/logbucket/variables.tf b/modules/logbucket/variables.tf
@@ -64,3 +64,9 @@ variable "linked_dataset_description" {
   type        = string
   default     = null
 }
+
+variable "locked" {
+  description = "(Optional) Whether the bucket is locked. The retention period on a locked bucket cannot be changed. Locked buckets may only be deleted if they are empty"
+  default     = null
+  type        = bool
+}
diff --git a/modules/pubsub/main.tf b/modules/pubsub/main.tf
@@ -39,9 +39,10 @@ locals {
 # API activation #
 #----------------#
 resource "google_project_service" "enable_destination_api" {
-  project            = var.project_id
-  service            = "pubsub.googleapis.com"
-  disable_on_destroy = false
+  project                    = var.project_id
+  service                    = "pubsub.googleapis.com"
+  disable_on_destroy         = false
+  disable_dependent_services = false
 }
 
 #--------------#
diff --git a/modules/storage/main.tf b/modules/storage/main.tf
@@ -23,9 +23,10 @@ locals {
 # API activation #
 #----------------#
 resource "google_project_service" "enable_destination_api" {
-  project            = var.project_id
-  service            = "storage-component.googleapis.com"
-  disable_on_destroy = false
+  project                    = var.project_id
+  service                    = "storage-component.googleapis.com"
+  disable_on_destroy         = false
+  disable_dependent_services = false
 }
 
 #----------------#
