Setup state bucket for gcp training

terraform-examples/terraform-state-bucket-admin-iam.tf

@@ -1,16 +1,16 @@
-# # This SA needs to be able to do some privileged work
-# #tfsec:ignore:google-iam-no-privileged-service-accounts
-# #checkov:skip=CKV_GCP_117:Allow admin for this bucket
-# resource "google_project_iam_binding" "project_iam_binding" {
-#   for_each = toset([
-#     "roles/storage.admin"
-#   ])
-#   project = data.google_project.project.project_id
-#   role    = "roles/storage.admin"
+# This SA needs to be able to do some privileged work
+#tfsec:ignore:google-iam-no-privileged-service-accounts
+#checkov:skip=CKV_GCP_117:Allow admin for this bucket
+resource "google_project_iam_binding" "project_iam_binding" {
+  for_each = toset([
+    "roles/storage.admin"
+  ])
+  project = data.google_project.project.project_id
+  role    = "roles/storage.admin"
 
-#   #tfsec:ignore:google-iam-no-privileged-service-accounts
-#   members = [
-#     "serviceAccount:${google_service_account.sa.email}",
-#     "serviceAccount:${var.admin_sa_email}"
-#   ]
-# }
+  #tfsec:ignore:google-iam-no-privileged-service-accounts
+  members = [
+    "serviceAccount:${google_service_account.sa.email}",
+    "serviceAccount:${var.admin_sa_email}"
+  ]
+}

terraform-examples/terraform-state-bucket.tf

@@ -1,21 +1,21 @@
-# resource "google_storage_bucket" "state_bucket" {
-#   #checkov:skip=CKV_GCP_62:Logging deactivated for now
-#   project                     = data.google_project.project.project_id
-#   name                        = "${data.google_project.project.project_id}-state"
-#   location                    = var.location
-#   uniform_bucket_level_access = true
-#   force_destroy               = true
+resource "google_storage_bucket" "state_bucket" {
+  #checkov:skip=CKV_GCP_62:Logging deactivated for now
+  project                     = data.google_project.project.project_id
+  name                        = "${data.google_project.project.project_id}-state"
+  location                    = var.location
+  uniform_bucket_level_access = true
+  force_destroy               = true
 
-#   public_access_prevention = "enforced"
+  public_access_prevention = "enforced"
 
-#   versioning {
-#     #checkov:skip=CKV_GCP_78:We don't version states
-#     enabled = false
-#   }
-# }
+  versioning {
+    #checkov:skip=CKV_GCP_78:We don't version states
+    enabled = false
+  }
+}
 
-# resource "google_storage_bucket_iam_member" "bucket_iam_member" {
-#   bucket = google_storage_bucket.state_bucket.name
-#   role   = "roles/storage.admin"
-#   member = "serviceAccount:${google_service_account.sa.email}"
-# }
+resource "google_storage_bucket_iam_member" "bucket_iam_member" {
+  bucket = google_storage_bucket.state_bucket.name
+  role   = "roles/storage.admin"
+  member = "serviceAccount:${google_service_account.sa.email}"
+}