Enforcing Soft Delete Policies for Google Cloud Storage

Data security and compliance in the cloud is crucial. One element of a Cloud Engineer’s toolset is to implement effective data retention policies, especially when it comes to accidental deletions. This is where Google Cloud Storage’s soft delete functionality comes in. It provides a safety net, allowing you to recover accidentally deleted data within a specified time window.

Inconsistent soft delete policies across your organization can add challenges and lead to unexpected data loss. To address this, Google Cloud makes an organizational constraint named constraints/storage.softDeletePolicySeconds. This article will show how to implement this organization policy using Terraform to enforce only specific durations for soft deletion.

Terraform Code

Here’s the Terraform code that defines our standardized soft delete policy:

resource "google_organization_policy" "storage_soft_delete" {
 org_id = "YOUR_ORGANIZATION_ID"
 constraint = "constraints/storage.softDeletePolicySeconds"
 list_policy {
  allow {
   values = ["0", "604801", "1209600"]
  }
 }
}

As the name of the constraint indicates, the values within the allowed list are defined in seconds. Values in this list must be either 0 or between 604800 (7d) and 7776000 (90d).

After this value is applied, users will only be able to select the specified values when creating a bucket:

Conclusion

This organizational policy approach allows us to enforce specific retention periods for deleted objects. This provides:

Consistency: All new buckets will adhere to the same soft delete policy.
Security: Reduced risk of accidental data loss by ensuring a minimum retention period.
Compliance: Simplified compliance efforts by maintaining consistent data retention practices.
Efficiency: Streamlined resource management with predictable storage costs.