diff --git a/Makefile b/Makefile index 8955bbd..af223cc 100644 --- a/Makefile +++ b/Makefile @@ -68,7 +68,6 @@ docker_test_integration: .PHONY: docker_test_lint docker_test_lint: docker run --rm -it \ - -e ENABLE_BPMETADATA=1 \ -v $(CURDIR):/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /usr/local/bin/test_lint.sh @@ -77,10 +76,9 @@ docker_test_lint: .PHONY: docker_generate_docs docker_generate_docs: docker run --rm -it \ - -e ENABLE_BPMETADATA=1 \ - -v "$(CURDIR)":/workspace \ + -v $(CURDIR):/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ - /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs display' + /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' # Alias for backwards compatibility .PHONY: generate_docs diff --git a/README.md b/README.md index 2bff316..fde3b00 100644 --- a/README.md +++ b/README.md @@ -67,16 +67,11 @@ Functional examples are included in the [examples](./examples/) directory. | domain | Zone domain, must end with a period. | `string` | n/a | yes | | enable\_logging | Enable query logging for this ManagedZone | `bool` | `false` | no | | force\_destroy | Set this true to delete all records in the zone. | `bool` | `false` | no | -| gke\_clusters\_list | The list of Google Kubernetes Engine clusters that can see this zone. | `list(string)` | `[]` | no | -| iam\_choice | Opt 1. iam\_binding, 2. iam\_member, 3. iam\_policy | `string` | n/a | yes | | labels | A set of key/value label pairs to assign to this ManagedZone | `map(any)` | `{}` | no | -| member | Identities that will be granted the privilege in role | `string` | n/a | yes | -| members | Identities that will be granted the privilege in role | `list(string)` | n/a | yes | | name | Zone name, must be unique within the project. | `string` | n/a | yes | | private\_visibility\_config\_networks | List of VPC self links that can see this zone. | `list(string)` | `[]` | no | | project\_id | Project id for the zone. | `string` | n/a | yes | | recordsets | List of DNS record objects to manage, in the standard terraform dns structure. | 
list(object({
    name    = string
    type    = string
    ttl     = number
    records = optional(list(string), null)

    routing_policy = optional(object({
      wrr = optional(list(object({
        weight  = number
        records = list(string)
      })), [])
      geo = optional(list(object({
        location = string
        records  = list(string)
      })), [])
    }))
  }))
| `[]` | no | -| role | The role that should be applied | `string` | n/a | yes | | service\_namespace\_url | The fully qualified or partial URL of the service directory namespace that should be associated with the zone. This should be formatted like https://servicedirectory.googleapis.com/v1/projects/{project}/locations/{location}/namespaces/{namespace_id} or simply projects/{project}/locations/{location}/namespaces/{namespace\_id}. | `string` | `""` | no | | target\_name\_server\_addresses | List of target name servers for forwarding zone. | `list(map(any))` | `[]` | no | | target\_network | Peering network. | `string` | `""` | no | @@ -87,7 +82,6 @@ Functional examples are included in the [examples](./examples/) directory. | Name | Description | |------|-------------| | domain | The DNS zone domain. | -| etag | The etag of the IAM policy | | name | The DNS zone name. | | name\_servers | The DNS zone name servers. | | type | The DNS zone type. | diff --git a/examples/dns_response_policy/main.tf b/examples/dns_response_policy/main.tf index c30e7bd..8de2953 100644 --- a/examples/dns_response_policy/main.tf +++ b/examples/dns_response_policy/main.tf @@ -16,7 +16,7 @@ module "dns_response_policy" { source = "terraform-google-modules/cloud-dns/google//modules/dns_response_policy" - version = "~> 6.1.0" + version = "~> 6.0" project_id = var.project_id policy_name = "dns-response-policy-test" diff --git a/examples/forwarding-zone/main.tf b/examples/forwarding-zone/main.tf index ade16b8..59737d7 100644 --- a/examples/forwarding-zone/main.tf +++ b/examples/forwarding-zone/main.tf @@ -16,7 +16,7 @@ module "dns-forwarding-zone" { source = "terraform-google-modules/cloud-dns/google" - version = "~> 6.1.0" + version = "~> 6.0" project_id = var.project_id type = "forwarding" @@ -35,9 +35,4 @@ module "dns-forwarding-zone" { forwarding_path = "default" } ] - - iam_choice = "iam_member" - role = "roles/viewer" - member = "serviceAccount:ci-account@${var.project_id}.iam.gserviceaccount.com" - members = [] } diff --git a/examples/peering-zone/main.tf b/examples/peering-zone/main.tf index bec8cd9..f002a91 100644 --- a/examples/peering-zone/main.tf +++ b/examples/peering-zone/main.tf @@ -16,7 +16,7 @@ module "dns-peering-zone" { source = "terraform-google-modules/cloud-dns/google" - version = "~> 6.1.0" + version = "~> 6.0" project_id = var.project_id type = "peering" @@ -25,9 +25,4 @@ module "dns-peering-zone" { private_visibility_config_networks = [var.network_self_link] target_network = var.target_network_self_link labels = var.labels - - iam_choice = "iam_member" - role = "roles/viewer" - member = "serviceAccount:ci-account@${var.project_id}.gserviceaccount.com" - members = [] } diff --git a/examples/private-zone/main.tf b/examples/private-zone/main.tf index 45933d9..18604f1 100644 --- a/examples/private-zone/main.tf +++ b/examples/private-zone/main.tf @@ -16,7 +16,7 @@ module "dns-private-zone" { source = "terraform-google-modules/cloud-dns/google" - version = "~> 6.1.0" + version = "~> 6.0" project_id = var.project_id type = "private" @@ -68,9 +68,4 @@ module "dns-private-zone" { ] }, ] - - iam_choice = "iam_policy" - role = "roles/dns.reader" - member = "serviceAccount:ci-account@${var.project_id}.iam.gserviceaccount.com" - members = [] } diff --git a/examples/private-zone/outputs.tf b/examples/private-zone/outputs.tf index 0c4a0c4..fa44e34 100644 --- a/examples/private-zone/outputs.tf +++ b/examples/private-zone/outputs.tf @@ -18,9 +18,3 @@ output "name_servers" { description = "Zone name servers." value = module.dns-private-zone.name_servers } - -output "etag" { - description = "The etag of the IAM policy." - value = module.dns-private-zone.etag -} - diff --git a/examples/public-zone/main.tf b/examples/public-zone/main.tf index 5ce65e5..a1a5572 100644 --- a/examples/public-zone/main.tf +++ b/examples/public-zone/main.tf @@ -16,7 +16,7 @@ module "dns-public-zone" { source = "terraform-google-modules/cloud-dns/google" - version = "~> 6.1.0" + version = "~> 6.0" project_id = var.project_id type = "public" @@ -69,9 +69,4 @@ module "dns-public-zone" { ] }, ] - - iam_choice = "iam_policy" - role = "roles/dns.reader" - member = "serviceAccount:ci-account@${var.project_id}.iam.gserviceaccount.com" - members = [] } diff --git a/main.tf b/main.tf index 4366e6b..c718d72 100644 --- a/main.tf +++ b/main.tf @@ -14,13 +14,6 @@ * limitations under the License. */ -data "google_iam_policy" "admin" { - binding { - role = var.role - members = var.members - } -} - resource "google_dns_managed_zone" "peering" { count = var.type == "peering" ? 1 : 0 project = var.project_id @@ -32,22 +25,14 @@ resource "google_dns_managed_zone" "peering" { force_destroy = var.force_destroy dynamic "private_visibility_config" { - for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : [] - + for_each = length(var.private_visibility_config_networks) > 0 ? [1] : [] content { dynamic "networks" { - for_each = toset(var.private_visibility_config_networks) + for_each = var.private_visibility_config_networks content { network_url = networks.value } } - - dynamic "gke_clusters" { - for_each = toset(var.gke_clusters_list) - content { - gke_cluster_name = gke_clusters.value - } - } } } @@ -69,22 +54,14 @@ resource "google_dns_managed_zone" "forwarding" { force_destroy = var.force_destroy dynamic "private_visibility_config" { - for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : [] - + for_each = length(var.private_visibility_config_networks) > 0 ? [1] : [] content { dynamic "networks" { - for_each = toset(var.private_visibility_config_networks) + for_each = var.private_visibility_config_networks content { network_url = networks.value } } - - dynamic "gke_clusters" { - for_each = toset(var.gke_clusters_list) - content { - gke_cluster_name = gke_clusters.value - } - } } } @@ -110,22 +87,14 @@ resource "google_dns_managed_zone" "private" { force_destroy = var.force_destroy dynamic "private_visibility_config" { - for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : [] - + for_each = length(var.private_visibility_config_networks) > 0 ? [1] : [] content { dynamic "networks" { - for_each = toset(var.private_visibility_config_networks) + for_each = var.private_visibility_config_networks content { network_url = networks.value } } - - dynamic "gke_clusters" { - for_each = toset(var.gke_clusters_list) - content { - gke_cluster_name = gke_clusters.value - } - } } } } @@ -182,22 +151,14 @@ resource "google_dns_managed_zone" "reverse_lookup" { reverse_lookup = true dynamic "private_visibility_config" { - for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : [] - + for_each = length(var.private_visibility_config_networks) > 0 ? [1] : [] content { dynamic "networks" { - for_each = toset(var.private_visibility_config_networks) + for_each = var.private_visibility_config_networks content { network_url = networks.value } } - - dynamic "gke_clusters" { - for_each = toset(var.gke_clusters_list) - content { - gke_cluster_name = gke_clusters.value - } - } } } } @@ -214,22 +175,11 @@ resource "google_dns_managed_zone" "service_directory" { visibility = "private" force_destroy = var.force_destroy - dynamic "private_visibility_config" { - for_each = length(var.private_visibility_config_networks) > 0 || length(var.gke_clusters_list) > 0 ? [1] : [] - - content { - dynamic "networks" { - for_each = toset(var.private_visibility_config_networks) - content { - network_url = networks.value - } - } - - dynamic "gke_clusters" { - for_each = toset(var.gke_clusters_list) - content { - gke_cluster_name = gke_clusters.value - } + private_visibility_config { + dynamic "networks" { + for_each = var.private_visibility_config_networks + content { + network_url = networks.value } } } @@ -284,56 +234,3 @@ resource "google_dns_record_set" "cloud-static-records" { google_dns_managed_zone.public, ] } - -resource "google_dns_managed_zone_iam_policy" "managed_zone_iam_policy" { - count = var.iam_choice == "iam_policy" ? 1 : 0 - - managed_zone = var.name - project = var.project_id - policy_data = data.google_iam_policy.admin.policy_data - - depends_on = [ - google_dns_managed_zone.private, - google_dns_managed_zone.public, - google_dns_managed_zone.peering, - google_dns_managed_zone.forwarding, - google_dns_managed_zone.reverse_lookup, - google_dns_managed_zone.service_directory, - ] -} - -resource "google_dns_managed_zone_iam_binding" "managed_zone_iam_binding" { - count = var.iam_choice == "iam_binding" ? 1 : 0 - - managed_zone = var.name - members = var.members - role = var.role - project = var.project_id - - depends_on = [ - google_dns_managed_zone.private, - google_dns_managed_zone.public, - google_dns_managed_zone.peering, - google_dns_managed_zone.forwarding, - google_dns_managed_zone.reverse_lookup, - google_dns_managed_zone.service_directory, - ] -} - -resource "google_dns_managed_zone_iam_member" "managed_zone_iam_member" { - count = var.iam_choice == "iam_member" ? 1 : 0 - - managed_zone = var.name - member = var.member - role = var.role - project = var.project_id - - depends_on = [ - google_dns_managed_zone.private, - google_dns_managed_zone.public, - google_dns_managed_zone.peering, - google_dns_managed_zone.forwarding, - google_dns_managed_zone.reverse_lookup, - google_dns_managed_zone.service_directory, - ] -} diff --git a/metadata.display.yaml b/metadata.display.yaml deleted file mode 100644 index 936ff9d..0000000 --- a/metadata.display.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: blueprints.cloud.google.com/v1alpha1 -kind: BlueprintMetadata -metadata: - name: terraform-google-cloud-dns-display - annotations: - config.kubernetes.io/local-config: "true" -spec: - info: - title: Terraform Google Cloud DNS Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-cloud-dns.git - sourceType: git - ui: - input: - variables: - default_key_specs_key: - name: default_key_specs_key - title: Default Key Specs Key - default_key_specs_zone: - name: default_key_specs_zone - title: Default Key Specs Zone - description: - name: description - title: Description - dnssec_config: - name: dnssec_config - title: Dnssec Config - domain: - name: domain - title: Domain - enable_logging: - name: enable_logging - title: Enable Logging - force_destroy: - name: force_destroy - title: Force Destroy - gke_clusters_list: - name: gke_clusters_list - title: Gke Clusters List - level: 1 - iam_choice: - name: iam_choice - title: Iam Choice - labels: - name: labels - title: Labels - member: - name: member - title: Member - members: - name: members - title: Members - name: - name: name - title: Name - private_visibility_config_networks: - name: private_visibility_config_networks - title: Private Visibility Config Networks - level: 1 - project_id: - name: project_id - title: Project Id - recordsets: - name: recordsets - title: Recordsets - level: 1 - role: - name: role - title: Role - service_namespace_url: - name: service_namespace_url - title: Service Namespace Url - target_name_server_addresses: - name: target_name_server_addresses - title: Target Name Server Addresses - target_network: - name: target_network - title: Target Network - type: - name: type - title: Type - level: 1 - runtime: - outputs: - domain: - visibility: VISIBILITY_ROOT diff --git a/metadata.yaml b/metadata.yaml deleted file mode 100644 index 2446baa..0000000 --- a/metadata.yaml +++ /dev/null @@ -1,197 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: blueprints.cloud.google.com/v1alpha1 -kind: BlueprintMetadata -metadata: - name: terraform-google-cloud-dns - annotations: - config.kubernetes.io/local-config: "true" -spec: - info: - title: Terraform Google Cloud DNS Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-cloud-dns.git - sourceType: git - version: 6.2.0 - actuationTool: - flavor: Terraform - version: ">= 1.3" - description: {} - content: - subBlueprints: - - name: dns_response_policy - location: modules/dns_response_policy - examples: - - name: dns_response_policy - location: examples/dns_response_policy - - name: forwarding-zone - location: examples/forwarding-zone - - name: peering-zone - location: examples/peering-zone - - name: private-zone - location: examples/private-zone - - name: public-zone - location: examples/public-zone - interfaces: - variables: - - name: domain - description: Zone domain, must end with a period. - varType: string - required: true - - name: name - description: Zone name, must be unique within the project. - varType: string - required: true - - name: private_visibility_config_networks - description: List of VPC self links that can see this zone. - varType: list(string) - defaultValue: [] - - name: gke_clusters_list - description: The list of Google Kubernetes Engine clusters that can see this zone. - varType: list(string) - defaultValue: [] - connections: - - source: - source: github.com/terraform-google-modules/terraform-google-kubernetes-engine//modules/gke-standard-cluster - version: ">=38.0.1" - spec: - outputExpr: cluster_id - - name: project_id - description: Project id for the zone. - varType: string - required: true - - name: target_name_server_addresses - description: List of target name servers for forwarding zone. - varType: list(map(any)) - defaultValue: [] - - name: target_network - description: Peering network. - varType: string - defaultValue: "" - - name: description - description: zone description (shown in console) - varType: string - defaultValue: Managed by Terraform - - name: type - description: Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'reverse_lookup' and 'service_directory'. - varType: string - defaultValue: private - - name: dnssec_config - description: "Object containing : kind, non_existence, state. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone#dnssec_config for futhers details" - varType: any - defaultValue: {} - - name: labels - description: A set of key/value label pairs to assign to this ManagedZone - varType: map(any) - defaultValue: {} - - name: default_key_specs_key - description: "Object containing default key signing specifications : algorithm, key_length, key_type, kind. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone#dnssec_config for futhers details" - varType: any - defaultValue: {} - - name: default_key_specs_zone - description: "Object containing default zone signing specifications : algorithm, key_length, key_type, kind. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone#dnssec_config for futhers details" - varType: any - defaultValue: {} - - name: force_destroy - description: Set this true to delete all records in the zone. - varType: bool - defaultValue: false - - name: service_namespace_url - description: The fully qualified or partial URL of the service directory namespace that should be associated with the zone. This should be formatted like https://servicedirectory.googleapis.com/v1/projects/{project}/locations/{location}/namespaces/{namespace_id} or simply projects/{project}/locations/{location}/namespaces/{namespace_id}. - varType: string - defaultValue: "" - - name: recordsets - description: List of DNS record objects to manage, in the standard terraform dns structure. - varType: |- - list(object({ - name = string - type = string - ttl = number - records = optional(list(string), null) - - routing_policy = optional(object({ - wrr = optional(list(object({ - weight = number - records = list(string) - })), []) - geo = optional(list(object({ - location = string - records = list(string) - })), []) - })) - })) - defaultValue: [] - - name: enable_logging - description: Enable query logging for this ManagedZone - varType: bool - defaultValue: false - - name: iam_choice - description: Opt 1. iam_binding, 2. iam_member, 3. iam_policy - varType: string - required: true - - name: member - description: Identities that will be granted the privilege in role - varType: string - required: true - - name: members - description: Identities that will be granted the privilege in role - varType: list(string) - required: true - - name: role - description: The role that should be applied - varType: string - required: true - outputs: - - name: domain - description: The DNS zone domain. - type: string - - name: etag - description: The etag of the IAM policy - type: - - list - - - string - - name: name - description: The DNS zone name. - type: string - - name: name_servers - description: The DNS zone name servers. - type: - - list - - - string - - name: type - description: The DNS zone type. - type: string - requirements: - roles: - - level: Project - roles: - - roles/iam.serviceAccountAdmin - - roles/iam.serviceAccountUser - - roles/resourcemanager.projectIamAdmin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - - roles/compute.networkAdmin - - roles/accesscontextmanager.policyAdmin - - roles/iam.securityAdmin - services: - - dns.googleapis.com - - compute.googleapis.com - - cloudresourcemanager.googleapis.com - - serviceusage.googleapis.com - providerVersions: - - source: hashicorp/google - version: ">= 5.12.0, < 8" - - source: hashicorp/google-beta - version: ">= 5.12.0, < 8" diff --git a/modules/dns_response_policy/README.md b/modules/dns_response_policy/README.md index 21e1957..e467b70 100644 --- a/modules/dns_response_policy/README.md +++ b/modules/dns_response_policy/README.md @@ -59,7 +59,6 @@ module "dns_response_policy" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | description | The description of the response policy. | `string` | n/a | yes | -| gke\_clusters\_list | The list of Google Kubernetes Engine clusters that can see this zone. | `list(string)` | `[]` | no | | network\_self\_links | The self links of the network to which the dns response policy needs to be applied. Note that only one response policy can be applied on a network. | `list(string)` | `[]` | no | | policy\_name | Name of the DNS response policy. | `string` | n/a | yes | | project\_id | The ID of the project in which the DNS response policy needs to be created. | `string` | n/a | yes | diff --git a/modules/dns_response_policy/main.tf b/modules/dns_response_policy/main.tf index b152265..709d36c 100644 --- a/modules/dns_response_policy/main.tf +++ b/modules/dns_response_policy/main.tf @@ -28,12 +28,6 @@ resource "google_dns_response_policy" "this" { network_url = networks.value } } - dynamic "gke_clusters" { - for_each = toset(var.gke_clusters_list) - content { - gke_cluster_name = gke_clusters.value - } - } } /** diff --git a/modules/dns_response_policy/metadata.display.yaml b/modules/dns_response_policy/metadata.display.yaml deleted file mode 100644 index e3453d7..0000000 --- a/modules/dns_response_policy/metadata.display.yaml +++ /dev/null @@ -1,53 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: blueprints.cloud.google.com/v1alpha1 -kind: BlueprintMetadata -metadata: - name: terraform-google-cloud-dns-dns-response-policy-display - annotations: - config.kubernetes.io/local-config: "true" -spec: - info: - title: gcp_dns_response_policy - source: - repo: https://github.com/terraform-google-modules/terraform-google-cloud-dns.git - sourceType: git - dir: /modules/dns_response_policy - ui: - input: - variables: - description: - name: description - title: Description - gke_clusters_list: - name: gke_clusters_list - title: Gke Clusters List - network_self_links: - name: network_self_links - title: Network Self Links - level: 1 - policy_name: - name: policy_name - title: Policy Name - project_id: - name: project_id - title: Project Id - rules: - name: rules - title: Rules - runtime: - outputs: - response_policy_rule_ids: - visibility: VISIBILITY_ROOT diff --git a/modules/dns_response_policy/metadata.yaml b/modules/dns_response_policy/metadata.yaml deleted file mode 100644 index a451d1d..0000000 --- a/modules/dns_response_policy/metadata.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: blueprints.cloud.google.com/v1alpha1 -kind: BlueprintMetadata -metadata: - name: terraform-google-cloud-dns-dns-response-policy - annotations: - config.kubernetes.io/local-config: "true" -spec: - info: - title: gcp_dns_response_policy - source: - repo: https://github.com/terraform-google-modules/terraform-google-cloud-dns.git - sourceType: git - dir: /modules/dns_response_policy - version: 6.2.0 - description: {} - content: - examples: - - name: dns_response_policy - location: examples/dns_response_policy - - name: forwarding-zone - location: examples/forwarding-zone - - name: peering-zone - location: examples/peering-zone - - name: private-zone - location: examples/private-zone - - name: public-zone - location: examples/public-zone - interfaces: - variables: - - name: description - description: The description of the response policy. - varType: string - required: true - - name: gke_clusters_list - description: The list of Google Kubernetes Engine clusters that can see this zone. - varType: list(string) - defaultValue: [] - connections: - - source: - source: github.com/terraform-google-modules/terraform-google-kubernetes-engine//modules/gke-standard-cluster - version: ">=38.0.1" - spec: - outputExpr: cluster_id - - name: network_self_links - description: The self links of the network to which the dns response policy needs to be applied. Note that only one response policy can be applied on a network. - varType: list(string) - defaultValue: [] - - name: policy_name - description: Name of the DNS response policy. - varType: string - required: true - - name: project_id - description: The ID of the project in which the DNS response policy needs to be created. - varType: string - required: true - - name: rules - description: " A Response Policy Rule is a selector that applies its behavior to queries that match the selector.\n Selectors are DNS names, which may be wildcards or exact matches.\n Takes a map as input where the key is the name of the rule. The map contains following attributes:\n Key - Name of the rule\n Value - Object of following attributes:\n * dns_name - DNS name where policy will be applied.\n * rule_behavior - Whether to override or passthru. Use value bypassResponsePolicy for passthru rules and skip this key for overriding rules.\n * rule_local_datas - When the rule behavior is override, policy will answer this matched DNS name directly with this DNS data. These resource record sets override any other DNS behavior for the matched name.\n * Each local datas object can contain following attributes:\n Key - One of the valid DNS resource type.\n Value - Object of following attributes:\n - ttl - Number of seconds that this ResourceRecordSet can be cached by resolvers.\n - rrdatas - As defined in RFC 1035 (section 5) and RFC 1034 (section 3.6.1)\n" - varType: |- - map(object({ - dns_name = string - rule_behavior = optional(string) - rule_local_datas = optional(map(object({ - ttl = string - rrdatas = list(string) - }))) - })) - required: true - outputs: - - name: response_policy_id - description: An identifier for the resource with format projects/{{project}}/responsePolicies/{{response_policy_name}}. - type: string - - name: response_policy_rule_ids - description: List of response rules with format projects/{{project}}/responsePolicies/{{response_policy}}/rules/{{rule_name}}. - type: - - list - - - string - - string - - string - requirements: - roles: - - level: Project - roles: - - roles/iam.serviceAccountAdmin - - roles/iam.serviceAccountUser - - roles/resourcemanager.projectIamAdmin - - roles/serviceusage.serviceUsageAdmin - - roles/dns.admin - - roles/compute.networkAdmin - - roles/accesscontextmanager.policyAdmin - - roles/iam.securityAdmin - services: - - dns.googleapis.com - - compute.googleapis.com - - cloudresourcemanager.googleapis.com - - serviceusage.googleapis.com diff --git a/modules/dns_response_policy/variable.tf b/modules/dns_response_policy/variable.tf index ffcc333..4c74ef6 100644 --- a/modules/dns_response_policy/variable.tf +++ b/modules/dns_response_policy/variable.tf @@ -30,12 +30,6 @@ variable "network_self_links" { default = [] } -variable "gke_clusters_list" { - description = "The list of Google Kubernetes Engine clusters that can see this zone." - default = [] - type = list(string) -} - variable "rules" { type = map(object({ dns_name = string diff --git a/outputs.tf b/outputs.tf index 99ad7fa..fd98428 100644 --- a/outputs.tf +++ b/outputs.tf @@ -65,9 +65,3 @@ output "name_servers" { ), ) } - -# Only when iam_policy resource is passed by the user -output "etag" { - description = "The etag of the IAM policy" - value = length(google_dns_managed_zone_iam_policy.managed_zone_iam_policy) > 0 ? google_dns_managed_zone_iam_policy.managed_zone_iam_policy[*].etag : null -} diff --git a/test/integration/discover_test.go b/test/integration/discover_test.go deleted file mode 100644 index 349a396..0000000 --- a/test/integration/discover_test.go +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright 2022 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package test - -import ( - "testing" - - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" -) - -func TestAll(t *testing.T) { - tft.AutoDiscoverAndTest(t) -} diff --git a/test/integration/private_zone/private_zone_test.go b/test/integration/private_zone/private_zone_test.go deleted file mode 100644 index 4c325f4..0000000 --- a/test/integration/private_zone/private_zone_test.go +++ /dev/null @@ -1,40 +0,0 @@ -// Copyright 2022 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package multiple_buckets - -import ( - "testing" - - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" - "github.com/stretchr/testify/assert" -) - -func TestPrivateZone(t *testing.T) { - example := tft.NewTFBlueprintTest(t) - - example.DefineVerify(func(assert *assert.Assertions) { - example.DefaultVerify(assert) - - name_servers := example.GetStringOutput("name_servers") - etag := example.GetStringOutput("etag") - services := gcloud.Run(t, "services list", gcloud.WithCommonArgs([]string{"--name_servers", name_servers, "--etag", etag, "--format", "json"})).Array() - - match := utils.GetFirstMatchResult(t, services, "config.name", "storage.googleapis.com") - assert.Equal("ENABLED", match.Get("state").String(), "storage service should be enabled") - }) - example.Test() -} diff --git a/test/integration/public_zone/public_zone_test.go b/test/integration/public_zone/public_zone_test.go deleted file mode 100644 index fae7890..0000000 --- a/test/integration/public_zone/public_zone_test.go +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright 2022 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package multiple_buckets - -import ( - "testing" - - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" - "github.com/stretchr/testify/assert" -) - -func TestPublicZone(t *testing.T) { - example := tft.NewTFBlueprintTest(t) - - example.DefineVerify(func(assert *assert.Assertions) { - example.DefaultVerify(assert) - - name_servers := example.GetStringOutput("name_servers") - services := gcloud.Run(t, "services list", gcloud.WithCommonArgs([]string{"--name_servers", name_servers, "--format", "json"})).Array() - - match := utils.GetFirstMatchResult(t, services, "config.name", "storage.googleapis.com") - assert.Equal("ENABLED", match.Get("state").String(), "storage service should be enabled") - }) - example.Test() -} diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 56c3673..1fcc598 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -16,14 +16,8 @@ locals { int_required_roles = [ - "roles/iam.serviceAccountAdmin", - "roles/iam.serviceAccountUser", - "roles/resourcemanager.projectIamAdmin", - "roles/serviceusage.serviceUsageAdmin", - "roles/dns.admin", - "roles/compute.networkAdmin", - "roles/accesscontextmanager.policyAdmin", - "roles/iam.securityAdmin", + "roles/owner", + "roles/dns.admin" ] } diff --git a/test/setup/main.tf b/test/setup/main.tf index ac168ce..7b019dd 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -25,9 +25,6 @@ module "project" { billing_account = var.billing_account activate_apis = [ - "dns.googleapis.com", - "compute.googleapis.com", - "cloudresourcemanager.googleapis.com", - "serviceusage.googleapis.com" + "dns.googleapis.com" ] } diff --git a/variables.tf b/variables.tf index b37562b..8ba804e 100644 --- a/variables.tf +++ b/variables.tf @@ -34,12 +34,6 @@ variable "private_visibility_config_networks" { type = list(string) } -variable "gke_clusters_list" { - description = "The list of Google Kubernetes Engine clusters that can see this zone." - default = [] - type = list(string) -} - variable "project_id" { description = "Project id for the zone." type = string @@ -136,32 +130,3 @@ variable "enable_logging" { default = false type = bool } - -############################################################################### -# zone_iam variables # -############################################################################### - -#Required variable -variable "iam_choice" { - description = "Opt 1. iam_binding, 2. iam_member, 3. iam_policy" - type = string - validation { - condition = contains(["iam_binding", "iam_member", "iam_policy"], var.iam_choice) - error_message = "Valid values for 'iam_choice' are: 'iam_binding', 'iam_member' or 'iam_policy'." - } -} - -variable "member" { - description = "Identities that will be granted the privilege in role" - type = string -} - -variable "members" { - description = "Identities that will be granted the privilege in role" - type = list(string) -} - -variable "role" { - description = "The role that should be applied" - type = string -}