What is uniform bucket-level access?

Uniform bucket-level access disables per-object ACLs and uses only IAM for permissions. Google recommends it because it makes access control consistent and auditable. The builder enables it by default for safer permissions.

How do lifecycle rules work in GCS?

A lifecycle rule applies an action — Delete or SetStorageClass — when a condition is met, such as an object reaching a given age in days. This automatically cleans up or tiers down old data to cheaper storage classes like Nearline or Coldline.

What does public_access_prevention do?

Setting it to enforced blocks the bucket and its objects from ever becoming publicly accessible, regardless of IAM bindings. It is a strong guardrail against accidental data exposure and is recommended for non-public buckets.

Why must the bucket name be globally unique?

Cloud Storage bucket names share a single global namespace across all GCP projects and customers. If a name is taken, terraform apply fails. Prefix names with your project or organization to avoid collisions.

Should I enable object versioning?

Versioning keeps previous copies of overwritten or deleted objects, protecting against accidental loss. It increases storage cost, so pair it with a lifecycle rule that deletes noncurrent versions after a retention period.

Terraform GCP Cloud Storage Config Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Provision a GCS bucket the Terraform way

Hand-writing google_storage_bucket HCL means remembering the right nested blocks for versioning, lifecycle, and access control. This builder assembles a correct, opinionated resource — secure defaults on, plus an optional IAM binding — that you can drop straight into your Terraform configuration.

How it works

The generated google_storage_bucket resource declares the bucket name, project, location, and storage_class. It sets uniform_bucket_level_access = true so permissions are governed entirely by IAM rather than legacy per-object ACLs, and enforces public_access_prevention to block accidental public exposure.

A versioning block keeps prior object generations, and an optional lifecycle_rule applies an action once objects reach a given age. Choosing Delete removes old objects, while choosing a storage class (Nearline, Coldline, Archive) emits a SetStorageClass action that tiers data down to cheaper storage. If you enable the IAM binding, a separate google_storage_bucket_iam_member grants a role to a member without overwriting other bindings.

Tips and notes

force_destroy is set to false so Terraform will refuse to delete a non-empty bucket — flip it to true only for disposable buckets.
Use google_storage_bucket_iam_member (additive) rather than ..._iam_policy (authoritative) unless you intend to manage the entire policy in Terraform.
Combine versioning with a lifecycle rule on noncurrent versions to control cost.
Bucket names are global; prefix them with your org or project to avoid 409 conflict errors on apply.