feat: added support to create a single site bucket using new variable…

… `single_site_location`<br>* added the ability to set `force_delete` for bucket deletion<br>* added the ability to set `hard_quota` (#514)

README.md

@@ -178,17 +178,19 @@ You need the following permissions to run this module.
 | <a name="input_create_cos_bucket"></a> [create\_cos\_bucket](#input\_create\_cos\_bucket) | Set as true to create a new Cloud Object Storage bucket | `bool` | `true` | no |
 | <a name="input_create_cos_instance"></a> [create\_cos\_instance](#input\_create\_cos\_instance) | Set as true to create a new Cloud Object Storage instance. | `bool` | `true` | no |
 | <a name="input_create_resource_key"></a> [create\_resource\_key](#input\_create\_resource\_key) | Set as true to create a new resource key for the Cloud Object Storage instance. | `bool` | `true` | no |
-| <a name="input_cross_region_location"></a> [cross\_region\_location](#input\_cross\_region\_location) | Specify the cross-regional bucket location. Supported values are 'us', 'eu', and 'ap'. If you pass a value for this, ensure to set the value of var.region to null. | `string` | `null` | no |
+| <a name="input_cross_region_location"></a> [cross\_region\_location](#input\_cross\_region\_location) | Specify the cross-regional bucket location. Supported values are 'us', 'eu', and 'ap'. If you pass a value for this, ensure to set the value of var.region and var.single\_site\_location to null. | `string` | `null` | no |
 | <a name="input_existing_cos_instance_id"></a> [existing\_cos\_instance\_id](#input\_existing\_cos\_instance\_id) | The ID of an existing cloud object storage instance. Required if 'var.create\_cos\_instance' is false. | `string` | `null` | no |
 | <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Key Protect or Hyper Protect instance in which the key specified in var.kms\_key\_crn is coming from. Required if var.skip\_iam\_authorization\_policy is false in order to create an IAM Access Policy to allow Key Protect or Hyper Protect to access the newly created COS instance. | `string` | `null` | no |
 | <a name="input_expire_days"></a> [expire\_days](#input\_expire\_days) | Specifies the number of days when the expire rule action takes effect. Only used if 'create\_cos\_bucket' is true. | `number` | `365` | no |
+| <a name="input_force_delete"></a> [force\_delete](#input\_force\_delete) | Deletes all the objects in the COS Bucket before bucket is deleted. | `bool` | `true` | no |
 | <a name="input_generate_hmac_credentials"></a> [generate\_hmac\_credentials](#input\_generate\_hmac\_credentials) | Set as true to generate an HMAC key in the resource key. Only used when create\_resource\_key is `true`. | `bool` | `false` | no |
+| <a name="input_hard_quota"></a> [hard\_quota](#input\_hard\_quota) | Sets a maximum amount of storage (in bytes) available for a bucket. If it is set to `null` then quota is disabled. | `number` | `null` | no |
 | <a name="input_instance_cbr_rules"></a> [instance\_cbr\_rules](#input\_instance\_cbr\_rules) | (Optional, list) List of CBR rules to create for the instance | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>    tags = optional(list(object({<br>      name  = string<br>      value = string<br>    })), [])<br>    operations = optional(list(object({<br>      api_types = list(object({<br>        api_type_id = string<br>      }))<br>    })))<br>  }))</pre> | `[]` | no |
 | <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set as true to use KMS key encryption to encrypt data in COS bucket (only applicable when var.create\_cos\_bucket is true). | `bool` | `true` | no |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | CRN of the KMS key to use to encrypt the data in the COS bucket. Required if var.encryption\_enabled and var.create\_cos\_bucket are true. | `string` | `null` | no |
 | <a name="input_management_endpoint_type_for_bucket"></a> [management\_endpoint\_type\_for\_bucket](#input\_management\_endpoint\_type\_for\_bucket) | The type of endpoint for the IBM terraform provider to use to manage the bucket. (public, private or direct) | `string` | `"public"` | no |
 | <a name="input_object_versioning_enabled"></a> [object\_versioning\_enabled](#input\_object\_versioning\_enabled) | Enable object versioning to keep multiple versions of an object in a bucket. Cannot be used with retention rule. Only used if 'create\_cos\_bucket' is true. | `bool` | `false` | no |
-| <a name="input_region"></a> [region](#input\_region) | The region to provision the bucket. If you pass a value for this, do not pass one for var.cross\_region\_location. | `string` | `"us-south"` | no |
+| <a name="input_region"></a> [region](#input\_region) | The region to provision the bucket. If you pass a value for this, do not pass one for var.cross\_region\_location or var.single\_site\_location. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where The COS instance will be provisioned. It is required if setting input variable create\_cos\_instance to true. | `string` | `null` | no |
 | <a name="input_resource_key_existing_serviceid_crn"></a> [resource\_key\_existing\_serviceid\_crn](#input\_resource\_key\_existing\_serviceid\_crn) | CRN of existing serviceID to bind with resource key to be created. If null a new ServiceID is created for the resource key. | `string` | `null` | no |
 | <a name="input_resource_key_name"></a> [resource\_key\_name](#input\_resource\_key\_name) | The name of the resource key to be created. | `string` | `"cos-resource-key"` | no |
@@ -198,6 +200,7 @@ You need the following permissions to run this module.
 | <a name="input_retention_maximum"></a> [retention\_maximum](#input\_retention\_maximum) | Specifies maximum duration of time an object that can be kept unmodified for COS bucket. Only used if 'create\_cos\_bucket' is true. | `number` | `350` | no |
 | <a name="input_retention_minimum"></a> [retention\_minimum](#input\_retention\_minimum) | Specifies minimum duration of time an object must be kept unmodified for COS bucket. Only used if 'create\_cos\_bucket' is true. | `number` | `90` | no |
 | <a name="input_retention_permanent"></a> [retention\_permanent](#input\_retention\_permanent) | Specifies a permanent retention status either enable or disable for COS bucket. Only used if 'create\_cos\_bucket' is true. | `bool` | `false` | no |
+| <a name="input_single_site_location"></a> [single\_site\_location](#input\_single\_site\_location) | Specify the single site bucket location. If you pass a value for this, ensure to set the value of var.region and var.cross\_region\_location to null. | `string` | `null` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the COS instance created to read the encryption key from the KMS instance in `existing_kms_instance_guid`. WARNING: An authorization policy must exist before an encrypted bucket can be created | `bool` | `false` | no |
 | <a name="input_sysdig_crn"></a> [sysdig\_crn](#input\_sysdig\_crn) | Sysdig Monitoring crn for COS bucket (Optional) | `string` | `null` | no |
 

examples/advanced/README.md

@@ -13,6 +13,7 @@ The following resources are provisioned by this example:
 - An IAM authorization policy to allow the Object Storage instance read access to the Key Protect instance.
 - A regional bucket with BYOK KMS encryption, monitoring, and activity tracking.
 - A cross-regional bucket with KMS encryption, monitoring, and activity tracking.
+- A single-site-location bucket with hard quota, monitoring, and activity tracking.
 - A basic VPC and subnet.
 - A Context-based restriction (CBR) network zone containing the VPC.
 - CBR rules that allow only the VPC to access the Object Storage instance and buckets over the private endpoint.

examples/advanced/main.tf

@@ -236,3 +236,49 @@ module "cos_bucket2" {
     }
   ]
 }
+
+##############################################################################
+# Create COS bucket-3 (in the COS instance created above) with:
+# - Single Site Location
+# - Hard Quota
+# - Encryption
+# - Monitoring
+# - Activity Tracking
+##############################################################################
+
+module "cos_bucket3" {
+  source                              = "../../"
+  depends_on                          = [module.cos_bucket1] # Required since cos_bucket1 creates the IAM authorization policy
+  bucket_name                         = "${var.prefix}-bucket-3"
+  add_bucket_name_suffix              = true
+  management_endpoint_type_for_bucket = var.management_endpoint_type_for_bucket
+  region                              = null
+  single_site_location                = var.single_site_location
+  hard_quota                          = var.hard_quota
+  archive_days                        = null
+  sysdig_crn                          = module.observability_instances.cloud_monitoring_crn
+  activity_tracker_crn                = local.at_crn
+  create_cos_instance                 = false
+  existing_cos_instance_id            = module.cos_bucket1.cos_instance_id
+  kms_encryption_enabled              = false # disable encryption because single site location doesn't support it
+  skip_iam_authorization_policy       = true  # Required since cos_bucket1 creates the IAM authorization policy
+  retention_enabled                   = false # disable retention for test environments - enable for stage/prod
+  bucket_cbr_rules = [
+    {
+      description      = "sample rule for bucket 3"
+      enforcement_mode = "report"
+      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
+      rule_contexts = [{
+        attributes = [
+          {
+            "name" : "endpointType",
+            "value" : "private"
+          },
+          {
+            name  = "networkZoneId"
+            value = module.cbr_zone.zone_id
+        }]
+      }]
+    }
+  ]
+}

examples/advanced/outputs.tf

@@ -7,3 +7,8 @@ output "bucket_name2" {
   description = "Bucket name"
   value       = module.cos_bucket2.bucket_name
 }
+
+output "bucket_name3" {
+  description = "Bucket name"
+  value       = module.cos_bucket3.bucket_name
+}

examples/advanced/variables.tf

@@ -45,6 +45,23 @@ variable "cross_region_location" {
   }
 }
 
+variable "single_site_location" {
+  type        = string
+  description = "Specify the single site bucket location. If you pass a value for this, ensure to set the value of var.region and var.cross_region_location to null."
+  default     = "ams03"
+
+  validation {
+    condition     = var.single_site_location == null || can(regex("ams03|mil01|mon01|par01|sjc04|sng01|che01", var.single_site_location))
+    error_message = "Variable 'cross_region_location' must be 'ams03', 'mil01', 'mon01', 'par01', 'sjc04', 'sng01', 'che01' or 'null'."
+  }
+}
+
+variable "hard_quota" {
+  type        = number
+  description = "Sets a maximum amount of storage (in bytes) available for a bucket. If it is set to `null` then quota is disabled."
+  default     = 1000000
+}
+
 variable "management_endpoint_type_for_bucket" {
   type        = string
   description = "The type of endpoint for the IBM terraform provider to use to manage the bucket. (public, private, direct)"

main.tf

@@ -30,9 +30,11 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   validate_kp_guid_input = var.kms_encryption_enabled && var.create_cos_bucket && var.skip_iam_authorization_policy == false && var.existing_kms_instance_guid == null ? tobool("A value must be passed for var.existing_kms_instance_guid when creating a bucket when var.kms_encryption_enabled is true and var.skip_iam_authorization_policy is false.") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_cross_region_location_inputs = var.create_cos_bucket && ((var.cross_region_location == null && var.region == null) || (var.cross_region_location != null && var.region != null)) ? tobool("If var.create_cos_bucket is true, then value needs to be provided for var.cross_region_location or var.region, but not both") : true
+  validate_cross_region_location_inputs = var.create_cos_bucket && ((var.cross_region_location == null && var.region == null && var.single_site_location == null) || (var.cross_region_location != null && var.region != null && var.single_site_location != null) || (var.cross_region_location != null && var.region != null) || (var.region != null && var.single_site_location != null) || (var.cross_region_location != null && var.single_site_location != null)) ? tobool("If var.create_cos_bucket is true, then value needs to be provided for var.cross_region_location or var.region or var.single_site_location, only one of the regions can be set.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_cross_region_location_archive_disabled_inputs = var.create_cos_bucket && (var.cross_region_location != null && var.archive_days != null) ? tobool("If var.cross_region_location is set, then var.expire_days cannot be set.") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_single_site_location_inputs = var.single_site_location != null && var.kms_encryption_enabled == true ? tobool("If var.single_site_location is set, then var.kms_encryption_enabled cannot be set as the key protect does not support single site location.") : true
 }
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
@@ -127,9 +129,12 @@ resource "ibm_cos_bucket" "cos_bucket" {
   resource_instance_id  = local.cos_instance_id
   region_location       = var.region
   cross_region_location = var.cross_region_location
+  single_site_location  = var.single_site_location
   endpoint_type         = var.management_endpoint_type_for_bucket
   storage_class         = var.bucket_storage_class
   key_protect           = var.kms_key_crn
+  hard_quota            = var.hard_quota
+  force_delete          = var.force_delete
   ## This for_each block is NOT a loop to attach to multiple retention blocks.
   ## This block is only used to conditionally add retention block depending on retention is enabled.
   dynamic "retention_rule" {
@@ -204,8 +209,11 @@ resource "ibm_cos_bucket" "cos_bucket1" {
   resource_instance_id  = local.cos_instance_id
   region_location       = var.region
   cross_region_location = var.cross_region_location
+  single_site_location  = var.single_site_location
   endpoint_type         = var.management_endpoint_type_for_bucket
   storage_class         = var.bucket_storage_class
+  hard_quota            = var.hard_quota
+  force_delete          = var.force_delete
   ## This for_each block is NOT a loop to attach to multiple retention blocks.
   ## This block is only used to conditionally add retention block depending on retention is enabled.
   dynamic "retention_rule" {