feat!: Adding blueprint metadata for cloud dns module (#137)

Co-authored-by: Saranya3 <ssranya@google.com>
Co-authored-by: Ayush Jain <124978972+ayushmjain@users.noreply.github.com>

Author: Saranya3

Makefile

@@ -68,6 +68,7 @@ docker_test_integration:
 .PHONY: docker_test_lint
 docker_test_lint:
 	docker run --rm -it \
+		-e ENABLE_BPMETADATA=1 \
 		-v $(CURDIR):/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/test_lint.sh
@@ -76,9 +77,10 @@ docker_test_lint:
 .PHONY: docker_generate_docs
 docker_generate_docs:
 	docker run --rm -it \
-		-v $(CURDIR):/workspace \
+	    -e ENABLE_BPMETADATA=1 \
+		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
+		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs display'
 
 # Alias for backwards compatibility
 .PHONY: generate_docs

README.md

@@ -67,11 +67,16 @@ Functional examples are included in the [examples](./examples/) directory.
 | domain | Zone domain, must end with a period. | `string` | n/a | yes |
 | enable\_logging | Enable query logging for this ManagedZone | `bool` | `false` | no |
 | force\_destroy | Set this true to delete all records in the zone. | `bool` | `false` | no |
+| gke\_clusters\_list | The list of Google Kubernetes Engine clusters that can see this zone. | `list(string)` | `[]` | no |
+| iam\_choice | Choose one of the following 'iam\_binding', 'iam\_member' or 'iam\_policy' for managed zone iam | `string` | `null` | no |
 | labels | A set of key/value label pairs to assign to this ManagedZone | `map(any)` | `{}` | no |
+| member | Identities the user/service account that will be granted the privilege in role (for case: managed\_zone\_iam\_member) | `string` | `null` | no |
+| members | Identities the users/service accounts that will be granted the privilege in role (for case: managed\_zone\_iam\_policy, managed\_zone\_iam\_binding) | `list(string)` | `null` | no |
 | name | Zone name, must be unique within the project. | `string` | n/a | yes |
 | private\_visibility\_config\_networks | List of VPC self links that can see this zone. | `list(string)` | `[]` | no |
 | project\_id | Project id for the zone. | `string` | n/a | yes |
 | recordsets | List of DNS record objects to manage, in the standard terraform dns structure. | <pre>list(object({<br>    name    = string<br>    type    = string<br>    ttl     = number<br>    records = optional(list(string), null)<br><br>    routing_policy = optional(object({<br>      wrr = optional(list(object({<br>        weight  = number<br>        records = list(string)<br>      })), [])<br>      geo = optional(list(object({<br>        location = string<br>        records  = list(string)<br>      })), [])<br>    }))<br>  }))</pre> | `[]` | no |
+| role | The role that should be applied | `string` | `null` | no |
 | service\_namespace\_url | The fully qualified or partial URL of the service directory namespace that should be associated with the zone. This should be formatted like https://servicedirectory.googleapis.com/v1/projects/{project}/locations/{location}/namespaces/{namespace_id} or simply projects/{project}/locations/{location}/namespaces/{namespace\_id}. | `string` | `""` | no |
 | target\_name\_server\_addresses | List of target name servers for forwarding zone. | `list(map(any))` | `[]` | no |
 | target\_network | Peering network. | `string` | `""` | no |
@@ -82,6 +87,7 @@ Functional examples are included in the [examples](./examples/) directory.
 | Name | Description |
 |------|-------------|
 | domain | The DNS zone domain. |
+| etag | The etag of the IAM policy |
 | name | The DNS zone name. |
 | name\_servers | The DNS zone name servers. |
 | type | The DNS zone type. |

examples/peering-zone/main.tf

@@ -25,4 +25,9 @@ module "dns-peering-zone" {
   private_visibility_config_networks = [var.network_self_link]
   target_network                     = var.target_network_self_link
   labels                             = var.labels
+
+  iam_choice   = "iam_member"
+  role         = "roles/viewer"
+  member       = "serviceAccount:ci-account@${var.project_id}.gserviceaccount.com"
+  members      = []
 }

examples/private-zone/main.tf

@@ -68,4 +68,9 @@ module "dns-private-zone" {
       ]
     },
   ]
+
+  iam_choice   = "iam_policy"
+  role         = "roles/dns.reader"
+  member       = "serviceAccount:ci-account@${var.project_id}.iam.gserviceaccount.com"
+  members      = []
 }

examples/private-zone/outputs.tf

@@ -18,3 +18,9 @@ output "name_servers" {
   description = "Zone name servers."
   value       = module.dns-private-zone.name_servers
 }
+
+output "etag" {
+  description = "The etag of the IAM policy."
+  value       = module.dns-private-zone.etag
+}
+

examples/public-zone/main.tf

@@ -69,4 +69,9 @@ module "dns-public-zone" {
       ]
     },
   ]
+
+  iam_choice   = "iam_policy"
+  role         = "roles/dns.reader"
+  member       = "serviceAccount:ci-account@${var.project_id}.iam.gserviceaccount.com"
+  members      = []
 }

main.tf

@@ -14,6 +14,15 @@
  * limitations under the License.
  */
 
+data "google_iam_policy" "admin" {
+  count = var.iam_choice == "iam_policy" && var.role != null && var.members != null ? 1 : 0
+
+  binding {
+    role    = var.role
+    members = var.members
+  }
+}
+
 resource "google_dns_managed_zone" "peering" {
   count         = var.type == "peering" ? 1 : 0
   project       = var.project_id
@@ -25,14 +34,22 @@ resource "google_dns_managed_zone" "peering" {
   force_destroy = var.force_destroy
 
   dynamic "private_visibility_config" {
-    for_each = length(var.private_visibility_config_networks) > 0 ? [1] : []
+    for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : []
+
     content {
       dynamic "networks" {
-        for_each = var.private_visibility_config_networks
+        for_each = toset(var.private_visibility_config_networks)
         content {
           network_url = networks.value
         }
       }
+
+      dynamic "gke_clusters" {
+        for_each = toset(var.gke_clusters_list)
+        content {
+          gke_cluster_name = gke_clusters.value
+        }
+      }
     }
   }
 
@@ -54,14 +71,22 @@ resource "google_dns_managed_zone" "forwarding" {
   force_destroy = var.force_destroy
 
   dynamic "private_visibility_config" {
-    for_each = length(var.private_visibility_config_networks) > 0 ? [1] : []
+    for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : []
+
     content {
       dynamic "networks" {
-        for_each = var.private_visibility_config_networks
+        for_each = toset(var.private_visibility_config_networks)
         content {
           network_url = networks.value
         }
       }
+
+      dynamic "gke_clusters" {
+        for_each = toset(var.gke_clusters_list)
+        content {
+          gke_cluster_name = gke_clusters.value
+        }
+      }
     }
   }
 
@@ -87,14 +112,22 @@ resource "google_dns_managed_zone" "private" {
   force_destroy = var.force_destroy
 
   dynamic "private_visibility_config" {
-    for_each = length(var.private_visibility_config_networks) > 0 ? [1] : []
+    for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : []
+
     content {
       dynamic "networks" {
-        for_each = var.private_visibility_config_networks
+        for_each = toset(var.private_visibility_config_networks)
         content {
           network_url = networks.value
         }
       }
+
+      dynamic "gke_clusters" {
+        for_each = toset(var.gke_clusters_list)
+        content {
+          gke_cluster_name = gke_clusters.value
+        }
+      }
     }
   }
 }
@@ -151,14 +184,22 @@ resource "google_dns_managed_zone" "reverse_lookup" {
   reverse_lookup = true
 
   dynamic "private_visibility_config" {
-    for_each = length(var.private_visibility_config_networks) > 0 ? [1] : []
+    for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : []
+
     content {
       dynamic "networks" {
-        for_each = var.private_visibility_config_networks
+        for_each = toset(var.private_visibility_config_networks)
         content {
           network_url = networks.value
         }
       }
+
+      dynamic "gke_clusters" {
+        for_each = toset(var.gke_clusters_list)
+        content {
+          gke_cluster_name = gke_clusters.value
+        }
+      }
     }
   }
 }
@@ -175,11 +216,22 @@ resource "google_dns_managed_zone" "service_directory" {
   visibility    = "private"
   force_destroy = var.force_destroy
 
-  private_visibility_config {
-    dynamic "networks" {
-      for_each = var.private_visibility_config_networks
-      content {
-        network_url = networks.value
+  dynamic "private_visibility_config" {
+    for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : []
+
+    content {
+      dynamic "networks" {
+        for_each = toset(var.private_visibility_config_networks)
+        content {
+          network_url = networks.value
+        }
+      }
+
+      dynamic "gke_clusters" {
+        for_each = toset(var.gke_clusters_list)
+        content {
+          gke_cluster_name = gke_clusters.value
+        }
       }
     }
   }
@@ -234,3 +286,56 @@ resource "google_dns_record_set" "cloud-static-records" {
     google_dns_managed_zone.public,
   ]
 }
+
+resource "google_dns_managed_zone_iam_policy" "managed_zone_iam_policy" {
+  count = var.iam_choice == "iam_policy" && var.role != null && var.members != null ? 1 : 0
+
+  managed_zone = var.name
+  project      = var.project_id
+  policy_data  = data.google_iam_policy.admin[0].policy_data
+
+  depends_on = [
+    google_dns_managed_zone.private,
+    google_dns_managed_zone.public,
+    google_dns_managed_zone.peering,
+    google_dns_managed_zone.forwarding,
+    google_dns_managed_zone.reverse_lookup,
+    google_dns_managed_zone.service_directory,
+  ]
+}
+
+resource "google_dns_managed_zone_iam_binding" "managed_zone_iam_binding" {
+  count = var.iam_choice == "iam_binding" && var.role != null && var.members != null ? 1 : 0
+
+  managed_zone = var.name
+  members      = var.members
+  role         = var.role
+  project      = var.project_id
+
+  depends_on = [
+    google_dns_managed_zone.private,
+    google_dns_managed_zone.public,
+    google_dns_managed_zone.peering,
+    google_dns_managed_zone.forwarding,
+    google_dns_managed_zone.reverse_lookup,
+    google_dns_managed_zone.service_directory,
+  ]
+}
+
+resource "google_dns_managed_zone_iam_member" "managed_zone_iam_member" {
+  count = var.iam_choice == "iam_member" && var.role != null && var.member != null ? 1 : 0
+
+  managed_zone = var.name
+  member       = var.member
+  role         = var.role
+  project      = var.project_id
+
+  depends_on = [
+    google_dns_managed_zone.private,
+    google_dns_managed_zone.public,
+    google_dns_managed_zone.peering,
+    google_dns_managed_zone.forwarding,
+    google_dns_managed_zone.reverse_lookup,
+    google_dns_managed_zone.service_directory,
+  ]
+}

metadata.display.yaml

@@ -0,0 +1,105 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+  name: terraform-google-cloud-dns-display
+  annotations:
+    config.kubernetes.io/local-config: "true"
+spec:
+  info:
+    title: Terraform Google Cloud DNS Module
+    source:
+      repo: https://github.com/terraform-google-modules/terraform-google-cloud-dns.git
+      sourceType: git
+  ui:
+    input:
+      variables:
+        default_key_specs_key:
+          name: default_key_specs_key
+          title: Default Key Specs Key
+        default_key_specs_zone:
+          name: default_key_specs_zone
+          title: Default Key Specs Zone
+        description:
+          name: description
+          title: Description
+        dnssec_config:
+          name: dnssec_config
+          title: Dnssec Config
+        domain:
+          name: domain
+          title: Domain
+        enable_logging:
+          name: enable_logging
+          title: Enable Logging
+        force_destroy:
+          name: force_destroy
+          title: Force Destroy
+        gke_clusters_list:
+          name: gke_clusters_list
+          title: Gke Clusters List
+          level: 1
+        iam_choice:
+          name: iam_choice
+          title: Iam Choice
+          level: 1
+        labels:
+          name: labels
+          title: Labels
+          level: 1
+        member:
+          name: member
+          title: Member
+          level: 1
+        members:
+          name: members
+          title: Members
+          level: 1
+        name:
+          name: name
+          title: Name
+        private_visibility_config_networks:
+          name: private_visibility_config_networks
+          title: Private Visibility Config Networks
+          level: 1
+        project_id:
+          name: project_id
+          title: Project Id
+        recordsets:
+          name: recordsets
+          title: Recordsets
+          level: 1
+        role:
+          name: role
+          title: Role
+          level: 1
+        service_namespace_url:
+          name: service_namespace_url
+          title: Service Namespace Url
+        target_name_server_addresses:
+          name: target_name_server_addresses
+          title: Target Name Server Addresses
+        target_network:
+          name: target_network
+          title: Target Network
+        type:
+          name: type
+          title: Type
+          level: 1
+    runtime:
+      outputs:
+        domain:
+          visibility: VISIBILITY_ROOT