A zone is a subtree of the DNS namespace under one administrative responsibility. A ManagedZone is a resource that represents a DNS zone hosted by the Cloud DNS service.
To get more information about ManagedZone, see:
resource "google_dns_managed_zone" "example-zone" {
name = "example-zone"
dns_name = "example-${random_id.rnd.hex}.com."
description = "Example DNS zone"
labels = {
foo = "bar"
}
}
resource "random_id" "rnd" {
byte_length = 4
}
resource "google_dns_managed_zone" "private-zone" {
name = "private-zone"
dns_name = "private.example.com."
description = "Example private DNS zone"
labels = {
foo = "bar"
}
visibility = "private"
private_visibility_config {
networks {
network_url = google_compute_network.network-1.id
}
networks {
network_url = google_compute_network.network-2.id
}
}
}
resource "google_compute_network" "network-1" {
name = "network-1"
auto_create_subnetworks = false
}
resource "google_compute_network" "network-2" {
name = "network-2"
auto_create_subnetworks = false
}
resource "google_dns_managed_zone" "private-zone" {
name = "private-zone"
dns_name = "private.example.com."
description = "Example private DNS zone"
labels = {
foo = "bar"
}
visibility = "private"
private_visibility_config {
networks {
network_url = google_compute_network.network-1.id
}
networks {
network_url = google_compute_network.network-2.id
}
}
forwarding_config {
target_name_servers {
ipv4_address = "172.16.1.10"
}
target_name_servers {
ipv4_address = "172.16.1.20"
}
}
}
resource "google_compute_network" "network-1" {
name = "network-1"
auto_create_subnetworks = false
}
resource "google_compute_network" "network-2" {
name = "network-2"
auto_create_subnetworks = false
}
resource "google_dns_managed_zone" "private-zone-gke" {
name = "private-zone"
dns_name = "private.example.com."
description = "Example private DNS zone"
labels = {
foo = "bar"
}
visibility = "private"
private_visibility_config {
gke_clusters {
gke_cluster_name = google_container_cluster.cluster-1.id
}
}
}
resource "google_compute_network" "network-1" {
name = "network-1"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "subnetwork-1" {
name = google_compute_network.network-1.name
network = google_compute_network.network-1.name
ip_cidr_range = "10.0.36.0/24"
region = "us-central1"
private_ip_google_access = true
secondary_ip_range {
range_name = "pod"
ip_cidr_range = "10.0.0.0/19"
}
secondary_ip_range {
range_name = "svc"
ip_cidr_range = "10.0.32.0/22"
}
}
resource "google_container_cluster" "cluster-1" {
name = "cluster-1"
location = "us-central1-c"
initial_node_count = 1
networking_mode = "VPC_NATIVE"
default_snat_status {
disabled = true
}
network = google_compute_network.network-1.name
subnetwork = google_compute_subnetwork.subnetwork-1.name
private_cluster_config {
enable_private_endpoint = true
enable_private_nodes = true
master_ipv4_cidr_block = "10.42.0.0/28"
master_global_access_config {
enabled = true
}
}
master_authorized_networks_config {
}
ip_allocation_policy {
cluster_secondary_range_name = google_compute_subnetwork.subnetwork-1.secondary_ip_range[0].range_name
services_secondary_range_name = google_compute_subnetwork.subnetwork-1.secondary_ip_range[1].range_name
}
deletion_protection = "true"
}
resource "google_dns_managed_zone" "peering-zone" {
name = "peering-zone"
dns_name = "peering.example.com."
description = "Example private DNS peering zone"
visibility = "private"
private_visibility_config {
networks {
network_url = google_compute_network.network-source.id
}
}
peering_config {
target_network {
network_url = google_compute_network.network-target.id
}
}
}
resource "google_compute_network" "network-source" {
name = "network-source"
auto_create_subnetworks = false
}
resource "google_compute_network" "network-target" {
name = "network-target"
auto_create_subnetworks = false
}
resource "google_dns_managed_zone" "sd-zone" {
provider = google-beta
name = "peering-zone"
dns_name = "services.example.com."
description = "Example private DNS Service Directory zone"
visibility = "private"
service_directory_config {
namespace {
namespace_url = google_service_directory_namespace.example.id
}
}
}
resource "google_service_directory_namespace" "example" {
provider = google-beta
namespace_id = "example"
location = "us-central1"
}
resource "google_compute_network" "network" {
provider = google-beta
name = "network"
auto_create_subnetworks = false
}
resource "google_dns_managed_zone" "cloud-logging-enabled-zone" {
name = "cloud-logging-enabled-zone"
dns_name = "services.example.com."
description = "Example cloud logging enabled DNS zone"
labels = {
foo = "bar"
}
cloud_logging_config {
enable_logging = true
}
}
The following arguments are supported:
dns_name
-
(Required)
The DNS name of this managed zone, for instance "example.com.".
name
-
(Required)
User assigned name for this resource.
Must be unique within the project.
description
-
(Optional)
A textual description field. Defaults to 'Managed by Terraform'.
dnssec_config
-
(Optional)
DNSSEC configuration
Structure is documented below.
labels
-
(Optional)
A set of key/value label pairs to assign to this ManagedZone.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
visibility
-
(Optional)
The zone's visibility: public zones are exposed to the Internet,
while private zones are visible only to Virtual Private Cloud resources.
Default value is public
.
Possible values are: private
, public
.
private_visibility_config
-
(Optional)
For privately visible zones, the set of Virtual Private Cloud
resources that the zone is visible from. At least one of gke_clusters
or networks
must be specified.
Structure is documented below.
forwarding_config
-
(Optional)
The presence for this field indicates that outbound forwarding is enabled
for this zone. The value of this field contains the set of destinations
to forward to.
Structure is documented below.
peering_config
-
(Optional)
The presence of this field indicates that DNS Peering is enabled for this
zone. The value of this field contains the network to peer with.
Structure is documented below.
reverse_lookup
-
(Optional, Beta)
Specifies if this is a managed reverse lookup zone. If true, Cloud DNS will resolve reverse
lookup queries using automatically configured records for VPC resources. This only applies
to networks listed under private_visibility_config
.
service_directory_config
-
(Optional, Beta)
The presence of this field indicates that this zone is backed by Service Directory. The value of this field contains information related to the namespace associated with the zone.
Structure is documented below.
cloud_logging_config
-
(Optional)
Cloud logging configuration
Structure is documented below.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
force_destroy
- (Optional) Set this true to delete all records in the zone.
The dnssec_config
block supports:
kind
-
(Optional)
Identifies what kind of resource this is
non_existence
-
(Optional)
Specifies the mechanism used to provide authenticated denial-of-existence responses.
non_existence can only be updated when the state is off
.
Possible values are: nsec
, nsec3
.
state
-
(Optional)
Specifies whether DNSSEC is enabled, and what mode it is in
Possible values are: off
, on
, transfer
.
default_key_specs
-
(Optional)
Specifies parameters that will be used for generating initial DnsKeys
for this ManagedZone. If you provide a spec for keySigning or zoneSigning,
you must also provide one for the other.
default_key_specs can only be updated when the state is off
.
Structure is documented below.
The default_key_specs
block supports:
algorithm
-
(Optional)
String mnemonic specifying the DNSSEC algorithm of this key
Possible values are: ecdsap256sha256
, ecdsap384sha384
, rsasha1
, rsasha256
, rsasha512
.
key_length
-
(Optional)
Length of the keys in bits
key_type
-
(Optional)
Specifies whether this is a key signing key (KSK) or a zone
signing key (ZSK). Key signing keys have the Secure Entry
Point flag set and, when active, will only be used to sign
resource record sets of type DNSKEY. Zone signing keys do
not have the Secure Entry Point flag set and will be used
to sign all other types of resource record sets.
Possible values are: keySigning
, zoneSigning
.
kind
-
(Optional)
Identifies what kind of resource this is
The private_visibility_config
block supports:
gke_clusters
-
(Optional)
The list of Google Kubernetes Engine clusters that can see this zone.
Structure is documented below.
networks
-
(Optional)
The list of VPC networks that can see this zone. Until the provider updates to use the Terraform 0.12 SDK in a future release, you
may experience issues with this resource while updating. If you've defined a networks
block and
add another networks
block while keeping the old block, Terraform will see an incorrect diff
and apply an incorrect update to the resource. If you encounter this issue, remove all networks
blocks in an update and then apply another update adding all of them back simultaneously.
Structure is documented below.
The gke_clusters
block supports:
gke_cluster_name
-
(Required)
The resource name of the cluster to bind this ManagedZone to.
This should be specified in the format like
projects/*/locations/*/clusters/*
network_url
-
(Required)
The id or fully qualified URL of the VPC network to bind to.
This should be formatted like projects/{project}/global/networks/{network}
or
https://www.googleapis.com/compute/v1/projects/{project}/global/networks/{network}
The forwarding_config
block supports:
target_name_servers
-
(Required)
List of target name servers to forward to. Cloud DNS will
select the best available name server if more than
one target is given.
Structure is documented below.The target_name_servers
block supports:
ipv4_address
-
(Required)
IPv4 address of a target name server.
forwarding_path
-
(Optional)
Forwarding path for this TargetNameServer. If unset or default
Cloud DNS will make forwarding
decision based on address ranges, i.e. RFC1918 addresses go to the VPC, Non-RFC1918 addresses go
to the Internet. When set to private
, Cloud DNS will always send queries through VPC for this target
Possible values are: default
, private
.
The peering_config
block supports:
target_network
-
(Required)
The network with which to peer.
Structure is documented below.The target_network
block supports:
network_url
-
(Required)
The id or fully qualified URL of the VPC network to forward queries to.
This should be formatted like projects/{project}/global/networks/{network}
or
https://www.googleapis.com/compute/v1/projects/{project}/global/networks/{network}
The service_directory_config
block supports:
namespace
-
(Required)
The namespace associated with the zone.
Structure is documented below.namespace_url
-
(Required)
The fully qualified or partial URL of the service directory namespace that should be
associated with the zone. This should be formatted like
https://servicedirectory.googleapis.com/v1/projects/{project}/locations/{location}/namespaces/{namespace_id}
or simply projects/{project}/locations/{location}/namespaces/{namespace_id}
Ignored for public
visibility zones.The cloud_logging_config
block supports:
enable_logging
-
(Required)
If set, enable query logging for this ManagedZone. False by default, making logging opt-in.In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/managedZones/{{name}}
managed_zone_id
-
Unique identifier for the resource; defined by the server.
name_servers
-
Delegate your managed_zone to these virtual name servers;
defined by the server
creation_time
-
The time that this resource was created on the server.
This is in RFC3339 text format.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.ManagedZone can be imported using any of these accepted formats:
projects/{{project}}/managedZones/{{name}}
{{project}}/{{name}}
{{name}}
In Terraform v1.5.0 and later, use an import
block to import ManagedZone using one of the formats above. For example:
import {
id = "projects/{{project}}/managedZones/{{name}}"
to = google_dns_managed_zone.default
}
When using the terraform import
command, ManagedZone can be imported using one of the formats above. For example:
$ terraform import google_dns_managed_zone.default projects/{{project}}/managedZones/{{name}}
$ terraform import google_dns_managed_zone.default {{project}}/{{name}}
$ terraform import google_dns_managed_zone.default {{name}}
This resource supports User Project Overrides.