Add Private Service Connect endpoint support to GCS backend (#31967)

* Add support for `storage_custom_endpoint` in `gcs` backend * Add documentation for new `storage_custom_endpoint` endpoint * Empty commit to trigger Vercel deployment
hashicorp · Oct 11, 2022 · 89ef27d · 89ef27d
1 parent bc1436a
commit 89ef27d
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/internal/backend/remote-state/gcs/backend.go b/internal/backend/remote-state/gcs/backend.go
@@ -102,6 +102,15 @@ func New() backend.Backend {
  Description: "A Cloud KMS key ('customer managed encryption key') used when reading and writing state files in the bucket. Format should be 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{name}}'.",
  ConflictsWith: []string{"encryption_key"},
  },
+
+ "storage_custom_endpoint": {
+ Type: schema.TypeString,
+ Optional: true,
+ DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+ "GOOGLE_BACKEND_STORAGE_CUSTOM_ENDPOINT",
+ "GOOGLE_STORAGE_CUSTOM_ENDPOINT",
+ }, nil),
+ },
  },
  }
 
@@ -195,6 +204,12 @@ func (b *Backend) configure(ctx context.Context) error {
  }
 
  opts = append(opts, option.WithUserAgent(httpclient.UserAgentString()))
+
+ // Custom endpoint for storage API
+ if storageEndpoint, ok := data.GetOk("storage_custom_endpoint"); ok {
+ endpoint := option.WithEndpoint(storageEndpoint.(string))
+ opts = append(opts, endpoint)
+ }
  client, err := storage.NewClient(b.storageContext, opts...)
  if err != nil {
  return fmt.Errorf("storage.NewClient() failed: %v", err)

diff --git a/website/docs/language/settings/backends/gcs.mdx b/website/docs/language/settings/backends/gcs.mdx
@@ -130,4 +130,5 @@ The following configuration options are supported:
  used when reading and writing state files in the bucket.
  Format should be `projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{name}}`. 
  For more information, including IAM requirements, see [Customer-managed Encryption 
- Keys](https://cloud.google.com/storage/docs/encryption/customer-managed-keys).
+ Keys](https://cloud.google.com/storage/docs/encryption/customer-managed-keys).
+- `storage_custom_endpoint` / `GOOGLE_BACKEND_STORAGE_CUSTOM_ENDPOINT` / `GOOGLE_STORAGE_CUSTOM_ENDPOINT` - (Optional) A URL containing three parts: the protocol, the DNS name pointing to a Private Service Connect endpoint, and the path for the Cloud Storage API (`/storage/v1/b`, [see here](https://cloud.google.com/storage/docs/json_api/v1/buckets/get#http-request)). You can either use [a DNS name automatically made by the Service Directory](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis#configure-p-dns) or a [custom DNS name](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis#configure-dns-default) made by you. For example, if you create an endpoint called `xyz` and want to use the automatically-created DNS name, you should set the field value as `https://storage-xyz.p.googleapis.com/storage/v1/b`. For help creating a Private Service Connect endpoint using Terraform, [see this guide](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis#terraform_1).