Google Cloud DNS Policy
This page shows how to write Terraform for Cloud DNS Policy and write them securely.
google_dns_policy (Terraform)
The Policy in Cloud DNS can be configured in Terraform with the resource name google_dns_policy
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_dns_policy" "default_policy" {
provider = google-beta
project = var.project_id
name = "default-policy"
enable_inbound_forwarding = var.dns_enable_inbound_forwarding
enable_logging = var.dns_enable_logging
resource "google_dns_policy" "this" {
description = var.description
enable_inbound_forwarding = var.enable_inbound_forwarding
enable_logging = var.enable_logging
name = var.name
project = var.project
resource "google_dns_policy" "default_policy" {
provider = google-beta
project = var.project_id
name = "default-policy"
enable_inbound_forwarding = var.dns_enable_inbound_forwarding
enable_logging = var.dns_enable_logging
Parameters
-
description
optional - string
A textual description field. Defaults to 'Managed by Terraform'.
-
enable_inbound_forwarding
optional - bool
Allows networks bound to this policy to receive DNS queries sent by VMs or applications over VPN connections. When enabled, a virtual IP address will be allocated from each of the sub-networks that are bound to this policy.
-
enable_logging
optional - bool
Controls whether logging is enabled for the networks bound to this policy. Defaults to no logging if not set.
User assigned name for this policy.
-
project
optional computed - string -
alternative_name_server_config
list block-
target_name_servers
set block-
forwarding_path
optional - string
Forwarding path for this TargetNameServer. If unset or 'default' Cloud DNS will make forwarding decision based on address ranges, i.e. RFC1918 addresses go to the VPC, Non-RFC1918 addresses go to the Internet. When set to 'private', Cloud DNS will always send queries through VPC for this target Possible values: ["default", "private"]
-
ipv4_address
required - string
IPv4 address to forward to.
-
-
-
networks
set block-
network_url
required - string
The id or fully qualified URL of the VPC network to forward queries to. This should be formatted like 'projects/[project]/global/networks/[network]' or 'https://www.googleapis.com/compute/v1/projects/[project]/global/networks/[network]'
-
-
timeouts
single block
Explanation in Terraform Registry
A policy is a collection of DNS rules applied to one or more Virtual Private Cloud resources. To get more information about Policy, see:
- API documentation
- How-to Guides
Tips: Best Practices for The Other Google Cloud DNS Resources
In addition to the google_dns_managed_zone, Google Cloud DNS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_dns_managed_zone
Ensure DNSSEC for your Cloud DNS zone is enabled
It is better to enable DNSSEC unless the zone is private. DNSSEC prevents attackers from running several attacks for the DNS zone.
Frequently asked questions
What is Google Cloud DNS Policy?
Google Cloud DNS Policy is a resource for Cloud DNS of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud DNS Policy?
For Terraform, the nhsy/gcp-terragrunt-bootstrap, niveklabs/google and caleonardo/jenkins-pipeline-test-03 source code examples are useful. See the Terraform Example section for further details.