Google Cloud DNS Policy

google_dns_policy (Terraform)

The Policy in Cloud DNS can be configured in Terraform with the resource name google_dns_policy. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

nhsy/gcp-terragrunt-bootstrap

resource "google_dns_policy" "default_policy" {
  provider                  = google-beta
  project                   = var.project_id
  name                      = "default-policy"
  enable_inbound_forwarding = var.dns_enable_inbound_forwarding
  enable_logging            = var.dns_enable_logging

niveklabs/google

resource "google_dns_policy" "this" {
  description               = var.description
  enable_inbound_forwarding = var.enable_inbound_forwarding
  enable_logging            = var.enable_logging
  name                      = var.name
  project                   = var.project

caleonardo/jenkins-pipeline-test-03

resource "google_dns_policy" "default_policy" {
  provider                  = google-beta
  project                   = var.project_id
  name                      = "default-policy"
  enable_inbound_forwarding = var.dns_enable_inbound_forwarding
  enable_logging            = var.dns_enable_logging

Parameters

• description optional - string

A textual description field. Defaults to 'Managed by Terraform'.

• enable_inbound_forwarding optional - bool

Allows networks bound to this policy to receive DNS queries sent by VMs or applications over VPN connections. When enabled, a virtual IP address will be allocated from each of the sub-networks that are bound to this policy.

• enable_logging optional - bool

Controls whether logging is enabled for the networks bound to this policy. Defaults to no logging if not set.

• id optional computed - string
• name required - string

User assigned name for this policy.

• project optional computed - string
• alternative_name_server_config list block
  • target_name_servers set block
    • forwarding_path optional - string

    Forwarding path for this TargetNameServer. If unset or 'default' Cloud DNS will make forwarding decision based on address ranges, i.e. RFC1918 addresses go to the VPC, Non-RFC1918 addresses go to the Internet. When set to 'private', Cloud DNS will always send queries through VPC for this target Possible values: ["default", "private"]

    • ipv4_address required - string

    IPv4 address to forward to.

• networks set block
  • network_url required - string

  The id or fully qualified URL of the VPC network to forward queries to. This should be formatted like 'projects/[project]/global/networks/[network]' or 'https://www.googleapis.com/compute/v1/projects/[project]/global/networks/[network]'

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string

Explanation in Terraform Registry

A policy is a collection of DNS rules applied to one or more Virtual Private Cloud resources. To get more information about Policy, see:

• API documentation
• How-to Guides
  • Using DNS server policies

Tips: Best Practices for The Other Google Cloud DNS Resources

In addition to the google_dns_managed_zone, Google Cloud DNS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_dns_managed_zone

Ensure DNSSEC for your Cloud DNS zone is enabled

It is better to enable DNSSEC unless the zone is private. DNSSEC prevents attackers from running several attacks for the DNS zone.