Google Cloud DNS Managed Zone

google_dns_managed_zone (Terraform)

The Managed Zone in Cloud DNS can be configured in Terraform with the resource name google_dns_managed_zone. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

melscoop-test/check

resource "google_dns_managed_zone" "private1" {
  # No result because visibility is private
  name        = "zone"
  dns_name    = "services.example.com."
  description = "Example DNS Service Directory zone"

jonpulsifer/cloudlab

resource "google_dns_managed_zone" "home-pulsifer-ca" {
  name        = "home-pulsifer-ca"
  dns_name    = "home.pulsifer.ca."
  description = "DNS for my LAN"

  labels = {

sprathod369/iac-example

resource "google_dns_managed_zone" "private1" {
  # No result because visibility is private
  name        = "zone"
  dns_name    = "services.example.com."
  description = "Example DNS Service Directory zone"

bridgecrewio/checkov

resource "google_dns_managed_zone" "private1" {
  # No result because visibility is private
  name        = "zone"
  dns_name    = "services.example.com."
  description = "Example DNS Service Directory zone"

Security Best Practices for google_dns_managed_zone

There is 1 setting in google_dns_managed_zone that should be taken care of for security reasons. The following section explain an overview and example code.

Ensure DNSSEC for your Cloud DNS zone is enabled

It is better to enable DNSSEC unless the zone is private. DNSSEC prevents attackers from running several attacks for the DNS zone.

Parameters

• description optional - string

A textual description field. Defaults to 'Managed by Terraform'.

• dns_name required - string

The DNS name of this managed zone, for instance "example.com.".

• force_destroy optional - bool
• id optional computed - string
• labels optional - map from string to string

A set of key/value label pairs to assign to this ManagedZone.

• name required - string

User assigned name for this resource. Must be unique within the project.

• name_servers optional computed - list of string

Delegate your managed_zone to these virtual name servers; defined by the server

• project optional computed - string
• visibility optional - string

The zone's visibility: public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources. Default value: "public" Possible values: ["private", "public"]

• dnssec_config list block
  • kind optional - string

  Identifies what kind of resource this is

  • non_existence optional computed - string

  Specifies the mechanism used to provide authenticated denial-of-existence responses. non_existence can only be updated when the state is 'off'. Possible values: ["nsec", "nsec3"]

  • state optional - string

  Specifies whether DNSSEC is enabled, and what mode it is in Possible values: ["off", "on", "transfer"]

  • default_key_specs list block
    • algorithm optional - string

    String mnemonic specifying the DNSSEC algorithm of this key Possible values: ["ecdsap256sha256", "ecdsap384sha384", "rsasha1", "rsasha256", "rsasha512"]

    • key_length optional - number

    Length of the keys in bits

    • key_type optional - string

    Specifies whether this is a key signing key (KSK) or a zone signing key (ZSK). Key signing keys have the Secure Entry Point flag set and, when active, will only be used to sign resource record sets of type DNSKEY. Zone signing keys do not have the Secure Entry Point flag set and will be used to sign all other types of resource record sets. Possible values: ["keySigning", "zoneSigning"]

    • kind optional - string

    Identifies what kind of resource this is

• forwarding_config list block
  • target_name_servers set block
    • forwarding_path optional - string

    Forwarding path for this TargetNameServer. If unset or 'default' Cloud DNS will make forwarding decision based on address ranges, i.e. RFC1918 addresses go to the VPC, Non-RFC1918 addresses go to the Internet. When set to 'private', Cloud DNS will always send queries through VPC for this target Possible values: ["default", "private"]

    • ipv4_address required - string

    IPv4 address of a target name server.

• peering_config list block
  • target_network list block
    • network_url required - string

    The id or fully qualified URL of the VPC network to forward queries to. This should be formatted like 'projects/[project]/global/networks/[network]' or 'https://www.googleapis.com/compute/v1/projects/[project]/global/networks/[network]'

• private_visibility_config list block
  • networks set block
    • network_url required - string

    The id or fully qualified URL of the VPC network to bind to. This should be formatted like 'projects/[project]/global/networks/[network]' or 'https://www.googleapis.com/compute/v1/projects/[project]/global/networks/[network]'

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string

Explanation in Terraform Registry

A zone is a subtree of the DNS namespace under one administrative responsibility. A ManagedZone is a resource that represents a DNS zone hosted by the Cloud DNS service. To get more information about ManagedZone, see:

• API documentation
• How-to Guides
  • Managing Zones