Google Cloud DNS Managed Zone
This page shows how to write Terraform for Cloud DNS Managed Zone and write them securely.
google_dns_managed_zone (Terraform)
The Managed Zone in Cloud DNS can be configured in Terraform with the resource name google_dns_managed_zone
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_dns_managed_zone" "private1" {
# No result because visibility is private
name = "zone"
dns_name = "services.example.com."
description = "Example DNS Service Directory zone"
resource "google_dns_managed_zone" "home-pulsifer-ca" {
name = "home-pulsifer-ca"
dns_name = "home.pulsifer.ca."
description = "DNS for my LAN"
labels = {
resource "google_dns_managed_zone" "private1" {
# No result because visibility is private
name = "zone"
dns_name = "services.example.com."
description = "Example DNS Service Directory zone"
resource "google_dns_managed_zone" "private1" {
# No result because visibility is private
name = "zone"
dns_name = "services.example.com."
description = "Example DNS Service Directory zone"
Security Best Practices for google_dns_managed_zone
There is 1 setting in google_dns_managed_zone that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure DNSSEC for your Cloud DNS zone is enabled
It is better to enable DNSSEC unless the zone is private. DNSSEC prevents attackers from running several attacks for the DNS zone.
Parameters
-
description
optional - string
A textual description field. Defaults to 'Managed by Terraform'.
-
dns_name
required - string
The DNS name of this managed zone, for instance "example.com.".
-
force_destroy
optional - bool -
id
optional computed - string -
labels
optional - map from string to string
A set of key/value label pairs to assign to this ManagedZone.
-
name
required - string
User assigned name for this resource. Must be unique within the project.
-
name_servers
optional computed - list of string
Delegate your managed_zone to these virtual name servers; defined by the server
-
project
optional computed - string -
visibility
optional - string
The zone's visibility: public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources. Default value: "public" Possible values: ["private", "public"]
-
dnssec_config
list block-
kind
optional - string
Identifies what kind of resource this is
-
non_existence
optional computed - string
Specifies the mechanism used to provide authenticated denial-of-existence responses. non_existence can only be updated when the state is 'off'. Possible values: ["nsec", "nsec3"]
-
state
optional - string
Specifies whether DNSSEC is enabled, and what mode it is in Possible values: ["off", "on", "transfer"]
-
default_key_specs
list block-
algorithm
optional - string
String mnemonic specifying the DNSSEC algorithm of this key Possible values: ["ecdsap256sha256", "ecdsap384sha384", "rsasha1", "rsasha256", "rsasha512"]
-
key_length
optional - number
Length of the keys in bits
-
key_type
optional - string
Specifies whether this is a key signing key (KSK) or a zone signing key (ZSK). Key signing keys have the Secure Entry Point flag set and, when active, will only be used to sign resource record sets of type DNSKEY. Zone signing keys do not have the Secure Entry Point flag set and will be used to sign all other types of resource record sets. Possible values: ["keySigning", "zoneSigning"]
-
kind
optional - string
Identifies what kind of resource this is
-
-
-
forwarding_config
list block-
target_name_servers
set block-
forwarding_path
optional - string
Forwarding path for this TargetNameServer. If unset or 'default' Cloud DNS will make forwarding decision based on address ranges, i.e. RFC1918 addresses go to the VPC, Non-RFC1918 addresses go to the Internet. When set to 'private', Cloud DNS will always send queries through VPC for this target Possible values: ["default", "private"]
-
ipv4_address
required - string
IPv4 address of a target name server.
-
-
-
peering_config
list block-
target_network
list block-
network_url
required - string
The id or fully qualified URL of the VPC network to forward queries to. This should be formatted like 'projects/[project]/global/networks/[network]' or 'https://www.googleapis.com/compute/v1/projects/[project]/global/networks/[network]'
-
-
-
private_visibility_config
list block-
networks
set block-
network_url
required - string
The id or fully qualified URL of the VPC network to bind to. This should be formatted like 'projects/[project]/global/networks/[network]' or 'https://www.googleapis.com/compute/v1/projects/[project]/global/networks/[network]'
-
-
-
timeouts
single block
Explanation in Terraform Registry
A zone is a subtree of the DNS namespace under one administrative responsibility. A ManagedZone is a resource that represents a DNS zone hosted by the Cloud DNS service. To get more information about ManagedZone, see:
- API documentation
- How-to Guides
Frequently asked questions
What is Google Cloud DNS Managed Zone?
Google Cloud DNS Managed Zone is a resource for Cloud DNS of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud DNS Managed Zone?
For Terraform, the melscoop-test/check, jonpulsifer/cloudlab and sprathod369/iac-example source code examples are useful. See the Terraform Example section for further details.