Google Cloud Storage (GCS) object versioning retains previous versions of an object in a bucket, enabling recovery from accidental deletions or overwrites, but it is disabled by default.
When object versioning is disabled, any write or delete operation on a GCS bucket is permanent. There is no way to recover a previous version of an
object, or an object that was deleted, without an external backup. This rule raises an issue when a google_storage_bucket resource is
created without a versioning block that sets enabled to true.
Without versioning, a single accidental or malicious write or delete operation can result in permanent data loss. Recovery is impossible without a separately maintained backup, and the impact may not be noticed until it is too late.
The following code is vulnerable because no versioning block is present, so object versioning is disabled by default.
resource "google_storage_bucket" "example" { # Noncompliant
name = "example"
location = "US"
}
resource "google_storage_bucket" "example" {
name = "example"
location = "US"
versioning {
enabled = true
}
}