feat: SOC2 compliant bucket creation by adding versioning flag

[credibleforce]

Feature Request

The agentless scanning module is currently missing the flag to set versioning for the created bucket.

Current bucket resource configuratoin:

resource "google_storage_bucket" "lacework_bucket" {
  count = var.global ? 1 : 0

  project       = local.scanning_project_id
  name          = local.bucket_name
  force_destroy = var.bucket_force_destroy
  location      = local.region

  uniform_bucket_level_access = var.bucket_enable_ubla

  dynamic "lifecycle_rule" {
    for_each = var.bucket_lifecycle_rule_age > 0 ? [1] : []
    content {
      condition {
        age = var.bucket_lifecycle_rule_age
      }
      action {
        type = "Delete"
      }
    }
  }

  labels = merge(var.labels)

  depends_on = [google_project_service.required_apis]
}

Proposed change:

resource "google_storage_bucket" "lacework_bucket" {
  count = var.global ? 1 : 0

  project       = local.scanning_project_id
  name          = local.bucket_name
  force_destroy = var.bucket_force_destroy
  location      = local.region

  uniform_bucket_level_access = var.bucket_enable_ubla

  versioning {
      enabled = var.bucket_enable_versioning
  }

  dynamic "lifecycle_rule" {
    for_each = var.bucket_lifecycle_rule_age > 0 ? [1] : []
    content {
      condition {
        age = var.bucket_lifecycle_rule_age
      }
      action {
        type = "Delete"
      }
    }
  }

  labels = merge(var.labels)

  depends_on = [google_project_service.required_apis]
}

Where an additional input variable bucket_enable_versioning is added, with default true.

variable "bucket_enable_versioning" {
  description = "Boolean for enabling Bucket Versioning on the created bucket.  Default is `true`."
  type        = bool
  default     = true
}

[jon-stewart]

Thanks for raising this feature request @credibleforce. @ammarekbote ⬆️