Skip to content

Commit edd5ccb

Browse files
Saranya3Saranya3
authored
feat: Add blueprint metadata for cloud dns module (#129)
Co-authored-by: Saranya3 <ssranya@google.com>
1 parent 6baa80d commit edd5ccb

File tree

24 files changed

+780
-25
lines changed

24 files changed

+780
-25
lines changed

Makefile

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,7 @@ docker_test_integration:
6868
.PHONY: docker_test_lint
6969
docker_test_lint:
7070
docker run --rm -it \
71+
-e ENABLE_BPMETADATA=1 \
7172
-v $(CURDIR):/workspace \
7273
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
7374
/usr/local/bin/test_lint.sh
@@ -76,9 +77,10 @@ docker_test_lint:
7677
.PHONY: docker_generate_docs
7778
docker_generate_docs:
7879
docker run --rm -it \
79-
-v $(CURDIR):/workspace \
80+
-e ENABLE_BPMETADATA=1 \
81+
-v "$(CURDIR)":/workspace \
8082
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
81-
/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
83+
/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs display'
8284

8385
# Alias for backwards compatibility
8486
.PHONY: generate_docs

README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,11 +67,16 @@ Functional examples are included in the [examples](./examples/) directory.
6767
| domain | Zone domain, must end with a period. | `string` | n/a | yes |
6868
| enable\_logging | Enable query logging for this ManagedZone | `bool` | `false` | no |
6969
| force\_destroy | Set this true to delete all records in the zone. | `bool` | `false` | no |
70+
| gke\_clusters\_list | The list of Google Kubernetes Engine clusters that can see this zone. | `list(string)` | `[]` | no |
71+
| iam\_choice | Opt 1. iam\_binding, 2. iam\_member, 3. iam\_policy | `string` | n/a | yes |
7072
| labels | A set of key/value label pairs to assign to this ManagedZone | `map(any)` | `{}` | no |
73+
| member | Identities that will be granted the privilege in role | `string` | n/a | yes |
74+
| members | Identities that will be granted the privilege in role | `list(string)` | n/a | yes |
7175
| name | Zone name, must be unique within the project. | `string` | n/a | yes |
7276
| private\_visibility\_config\_networks | List of VPC self links that can see this zone. | `list(string)` | `[]` | no |
7377
| project\_id | Project id for the zone. | `string` | n/a | yes |
7478
| recordsets | List of DNS record objects to manage, in the standard terraform dns structure. | <pre>list(object({<br> name = string<br> type = string<br> ttl = number<br> records = optional(list(string), null)<br><br> routing_policy = optional(object({<br> wrr = optional(list(object({<br> weight = number<br> records = list(string)<br> })), [])<br> geo = optional(list(object({<br> location = string<br> records = list(string)<br> })), [])<br> }))<br> }))</pre> | `[]` | no |
79+
| role | The role that should be applied | `string` | n/a | yes |
7580
| service\_namespace\_url | The fully qualified or partial URL of the service directory namespace that should be associated with the zone. This should be formatted like https://servicedirectory.googleapis.com/v1/projects/{project}/locations/{location}/namespaces/{namespace_id} or simply projects/{project}/locations/{location}/namespaces/{namespace\_id}. | `string` | `""` | no |
7681
| target\_name\_server\_addresses | List of target name servers for forwarding zone. | `list(map(any))` | `[]` | no |
7782
| target\_network | Peering network. | `string` | `""` | no |
@@ -82,6 +87,7 @@ Functional examples are included in the [examples](./examples/) directory.
8287
| Name | Description |
8388
|------|-------------|
8489
| domain | The DNS zone domain. |
90+
| etag | The etag of the IAM policy |
8591
| name | The DNS zone name. |
8692
| name\_servers | The DNS zone name servers. |
8793
| type | The DNS zone type. |

examples/dns_response_policy/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616

1717
module "dns_response_policy" {
1818
source = "terraform-google-modules/cloud-dns/google//modules/dns_response_policy"
19-
version = "~> 6.0"
19+
version = "~> 6.1.0"
2020

2121
project_id = var.project_id
2222
policy_name = "dns-response-policy-test"

examples/forwarding-zone/main.tf

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616

1717
module "dns-forwarding-zone" {
1818
source = "terraform-google-modules/cloud-dns/google"
19-
version = "~> 6.0"
19+
version = "~> 6.1.0"
2020

2121
project_id = var.project_id
2222
type = "forwarding"
@@ -35,4 +35,9 @@ module "dns-forwarding-zone" {
3535
forwarding_path = "default"
3636
}
3737
]
38+
39+
iam_choice = "iam_member"
40+
role = "roles/viewer"
41+
member = "serviceAccount:ci-account@${var.project_id}.iam.gserviceaccount.com"
42+
members = []
3843
}

examples/peering-zone/main.tf

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616

1717
module "dns-peering-zone" {
1818
source = "terraform-google-modules/cloud-dns/google"
19-
version = "~> 6.0"
19+
version = "~> 6.1.0"
2020

2121
project_id = var.project_id
2222
type = "peering"
@@ -25,4 +25,9 @@ module "dns-peering-zone" {
2525
private_visibility_config_networks = [var.network_self_link]
2626
target_network = var.target_network_self_link
2727
labels = var.labels
28+
29+
iam_choice = "iam_member"
30+
role = "roles/viewer"
31+
member = "serviceAccount:ci-account@${var.project_id}.gserviceaccount.com"
32+
members = []
2833
}

examples/private-zone/main.tf

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616

1717
module "dns-private-zone" {
1818
source = "terraform-google-modules/cloud-dns/google"
19-
version = "~> 6.0"
19+
version = "~> 6.1.0"
2020

2121
project_id = var.project_id
2222
type = "private"
@@ -68,4 +68,9 @@ module "dns-private-zone" {
6868
]
6969
},
7070
]
71+
72+
iam_choice = "iam_policy"
73+
role = "roles/dns.reader"
74+
member = "serviceAccount:ci-account@${var.project_id}.iam.gserviceaccount.com"
75+
members = []
7176
}

examples/private-zone/outputs.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,9 @@ output "name_servers" {
1818
description = "Zone name servers."
1919
value = module.dns-private-zone.name_servers
2020
}
21+
22+
output "etag" {
23+
description = "The etag of the IAM policy."
24+
value = module.dns-private-zone.etag
25+
}
26+

examples/public-zone/main.tf

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616

1717
module "dns-public-zone" {
1818
source = "terraform-google-modules/cloud-dns/google"
19-
version = "~> 6.0"
19+
version = "~> 6.1.0"
2020

2121
project_id = var.project_id
2222
type = "public"
@@ -69,4 +69,9 @@ module "dns-public-zone" {
6969
]
7070
},
7171
]
72+
73+
iam_choice = "iam_policy"
74+
role = "roles/dns.reader"
75+
member = "serviceAccount:ci-account@${var.project_id}.iam.gserviceaccount.com"
76+
members = []
7277
}

examples/public-zone/variables.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,12 @@ variable "project_id" {
2121

2222
variable "name" {
2323
description = "DNS zone name."
24-
default = "foo-example-invalid-org"
24+
default = "foo-example-org"
2525
}
2626

2727
variable "domain" {
2828
description = "Zone domain."
29-
default = "foo.example-invalid.org."
29+
default = "foo.example.org."
3030
}
3131

3232
variable "network_self_links" {

main.tf

Lines changed: 116 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,13 @@
1414
* limitations under the License.
1515
*/
1616

17+
data "google_iam_policy" "admin" {
18+
binding {
19+
role = var.role
20+
members = var.members
21+
}
22+
}
23+
1724
resource "google_dns_managed_zone" "peering" {
1825
count = var.type == "peering" ? 1 : 0
1926
project = var.project_id
@@ -25,14 +32,22 @@ resource "google_dns_managed_zone" "peering" {
2532
force_destroy = var.force_destroy
2633

2734
dynamic "private_visibility_config" {
28-
for_each = length(var.private_visibility_config_networks) > 0 ? [1] : []
35+
for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : []
36+
2937
content {
3038
dynamic "networks" {
31-
for_each = var.private_visibility_config_networks
39+
for_each = toset(var.private_visibility_config_networks)
3240
content {
3341
network_url = networks.value
3442
}
3543
}
44+
45+
dynamic "gke_clusters" {
46+
for_each = toset(var.gke_clusters_list)
47+
content {
48+
gke_cluster_name = gke_clusters.value
49+
}
50+
}
3651
}
3752
}
3853

@@ -54,14 +69,22 @@ resource "google_dns_managed_zone" "forwarding" {
5469
force_destroy = var.force_destroy
5570

5671
dynamic "private_visibility_config" {
57-
for_each = length(var.private_visibility_config_networks) > 0 ? [1] : []
72+
for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : []
73+
5874
content {
5975
dynamic "networks" {
60-
for_each = var.private_visibility_config_networks
76+
for_each = toset(var.private_visibility_config_networks)
6177
content {
6278
network_url = networks.value
6379
}
6480
}
81+
82+
dynamic "gke_clusters" {
83+
for_each = toset(var.gke_clusters_list)
84+
content {
85+
gke_cluster_name = gke_clusters.value
86+
}
87+
}
6588
}
6689
}
6790

@@ -87,14 +110,22 @@ resource "google_dns_managed_zone" "private" {
87110
force_destroy = var.force_destroy
88111

89112
dynamic "private_visibility_config" {
90-
for_each = length(var.private_visibility_config_networks) > 0 ? [1] : []
113+
for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : []
114+
91115
content {
92116
dynamic "networks" {
93-
for_each = var.private_visibility_config_networks
117+
for_each = toset(var.private_visibility_config_networks)
94118
content {
95119
network_url = networks.value
96120
}
97121
}
122+
123+
dynamic "gke_clusters" {
124+
for_each = toset(var.gke_clusters_list)
125+
content {
126+
gke_cluster_name = gke_clusters.value
127+
}
128+
}
98129
}
99130
}
100131
}
@@ -151,14 +182,22 @@ resource "google_dns_managed_zone" "reverse_lookup" {
151182
reverse_lookup = true
152183

153184
dynamic "private_visibility_config" {
154-
for_each = length(var.private_visibility_config_networks) > 0 ? [1] : []
185+
for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : []
186+
155187
content {
156188
dynamic "networks" {
157-
for_each = var.private_visibility_config_networks
189+
for_each = toset(var.private_visibility_config_networks)
158190
content {
159191
network_url = networks.value
160192
}
161193
}
194+
195+
dynamic "gke_clusters" {
196+
for_each = toset(var.gke_clusters_list)
197+
content {
198+
gke_cluster_name = gke_clusters.value
199+
}
200+
}
162201
}
163202
}
164203
}
@@ -175,11 +214,22 @@ resource "google_dns_managed_zone" "service_directory" {
175214
visibility = "private"
176215
force_destroy = var.force_destroy
177216

178-
private_visibility_config {
179-
dynamic "networks" {
180-
for_each = var.private_visibility_config_networks
181-
content {
182-
network_url = networks.value
217+
dynamic "private_visibility_config" {
218+
for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : []
219+
220+
content {
221+
dynamic "networks" {
222+
for_each = toset(var.private_visibility_config_networks)
223+
content {
224+
network_url = networks.value
225+
}
226+
}
227+
228+
dynamic "gke_clusters" {
229+
for_each = toset(var.gke_clusters_list)
230+
content {
231+
gke_cluster_name = gke_clusters.value
232+
}
183233
}
184234
}
185235
}
@@ -234,3 +284,56 @@ resource "google_dns_record_set" "cloud-static-records" {
234284
google_dns_managed_zone.public,
235285
]
236286
}
287+
288+
resource "google_dns_managed_zone_iam_policy" "managed_zone_iam_policy" {
289+
count = var.iam_choice == "iam_policy" ? 1 : 0
290+
291+
managed_zone = var.name
292+
project = var.project_id
293+
policy_data = data.google_iam_policy.admin.policy_data
294+
295+
depends_on = [
296+
google_dns_managed_zone.private,
297+
google_dns_managed_zone.public,
298+
google_dns_managed_zone.peering,
299+
google_dns_managed_zone.forwarding,
300+
google_dns_managed_zone.reverse_lookup,
301+
google_dns_managed_zone.service_directory,
302+
]
303+
}
304+
305+
resource "google_dns_managed_zone_iam_binding" "managed_zone_iam_binding" {
306+
count = var.iam_choice == "iam_binding" ? 1 : 0
307+
308+
managed_zone = var.name
309+
members = var.members
310+
role = var.role
311+
project = var.project_id
312+
313+
depends_on = [
314+
google_dns_managed_zone.private,
315+
google_dns_managed_zone.public,
316+
google_dns_managed_zone.peering,
317+
google_dns_managed_zone.forwarding,
318+
google_dns_managed_zone.reverse_lookup,
319+
google_dns_managed_zone.service_directory,
320+
]
321+
}
322+
323+
resource "google_dns_managed_zone_iam_member" "managed_zone_iam_member" {
324+
count = var.iam_choice == "iam_member" ? 1 : 0
325+
326+
managed_zone = var.name
327+
member = var.member
328+
role = var.role
329+
project = var.project_id
330+
331+
depends_on = [
332+
google_dns_managed_zone.private,
333+
google_dns_managed_zone.public,
334+
google_dns_managed_zone.peering,
335+
google_dns_managed_zone.forwarding,
336+
google_dns_managed_zone.reverse_lookup,
337+
google_dns_managed_zone.service_directory,
338+
]
339+
}

0 commit comments

Comments
 (0)