Google Cloud DNS Managed Zone

This page shows how to write Terraform for Cloud DNS Managed Zone and write them securely.

google_dns_managed_zone (Terraform)

The Managed Zone in Cloud DNS can be configured in Terraform with the resource name google_dns_managed_zone. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "google_dns_managed_zone" "private1" {
  # No result because visibility is private
  name        = "zone"
  dns_name    = ""
  description = "Example DNS Service Directory zone"
resource "google_dns_managed_zone" "home-pulsifer-ca" {
  name        = "home-pulsifer-ca"
  dns_name    = ""
  description = "DNS for my LAN"

  labels = {
resource "google_dns_managed_zone" "private1" {
  # No result because visibility is private
  name        = "zone"
  dns_name    = ""
  description = "Example DNS Service Directory zone"
resource "google_dns_managed_zone" "private1" {
  # No result because visibility is private
  name        = "zone"
  dns_name    = ""
  description = "Example DNS Service Directory zone"

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for google_dns_managed_zone

There is 1 setting in google_dns_managed_zone that should be taken care of for security reasons. The following section explain an overview and example code.


Ensure DNSSEC for your Cloud DNS zone is enabled

It is better to enable DNSSEC unless the zone is private. DNSSEC prevents attackers from running several attacks for the DNS zone.

Review your Google Cloud DNS settings

You can check if the google_dns_managed_zone setting in your .tf file is correct in 3 min with Shisho Cloud.


A textual description field. Defaults to 'Managed by Terraform'.

The DNS name of this managed zone, for instance "".

A set of key/value label pairs to assign to this ManagedZone.

User assigned name for this resource. Must be unique within the project.

Delegate your managed_zone to these virtual name servers; defined by the server

The zone's visibility: public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources. Default value: "public" Possible values: ["private", "public"]

  • dnssec_config list block

    Identifies what kind of resource this is

    Specifies the mechanism used to provide authenticated denial-of-existence responses. non_existence can only be updated when the state is 'off'. Possible values: ["nsec", "nsec3"]

    Specifies whether DNSSEC is enabled, and what mode it is in Possible values: ["off", "on", "transfer"]

    • default_key_specs list block

      String mnemonic specifying the DNSSEC algorithm of this key Possible values: ["ecdsap256sha256", "ecdsap384sha384", "rsasha1", "rsasha256", "rsasha512"]

      Length of the keys in bits

      Specifies whether this is a key signing key (KSK) or a zone signing key (ZSK). Key signing keys have the Secure Entry Point flag set and, when active, will only be used to sign resource record sets of type DNSKEY. Zone signing keys do not have the Secure Entry Point flag set and will be used to sign all other types of resource record sets. Possible values: ["keySigning", "zoneSigning"]

      Identifies what kind of resource this is

  • forwarding_config list block
    • target_name_servers set block

      Forwarding path for this TargetNameServer. If unset or 'default' Cloud DNS will make forwarding decision based on address ranges, i.e. RFC1918 addresses go to the VPC, Non-RFC1918 addresses go to the Internet. When set to 'private', Cloud DNS will always send queries through VPC for this target Possible values: ["default", "private"]

      IPv4 address of a target name server.

  • peering_config list block
  • private_visibility_config list block
  • timeouts single block

Explanation in Terraform Registry

A zone is a subtree of the DNS namespace under one administrative responsibility. A ManagedZone is a resource that represents a DNS zone hosted by the Cloud DNS service. To get more information about ManagedZone, see:

Frequently asked questions

What is Google Cloud DNS Managed Zone?

Google Cloud DNS Managed Zone is a resource for Cloud DNS of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud DNS Managed Zone?

For Terraform, the melscoop-test/check, jonpulsifer/cloudlab and sprathod369/iac-example source code examples are useful. See the Terraform Example section for further details.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.