93 lines
3.6 KiB
Markdown
93 lines
3.6 KiB
Markdown
|
# Google Cloud DNS Response Policy
|
||
|
|
||
|
This module allows management of a [Google Cloud DNS policy and its rules](https://cloud.google.com/dns/docs/zones/manage-response-policies). The policy can be already existing and passed in via its id.
|
||
|
|
||
|
## Examples
|
||
|
|
||
|
### Manage policy and override resolution for specific names
|
||
|
|
||
|
This example shows how to create a policy with a single rule, that directs a specific Google API name to the restricted VIP addresses.
|
||
|
|
||
|
```hcl
|
||
|
module "dns-policy" {
|
||
|
source = "./fabric/modules/dns-response-policy"
|
||
|
project_id = "myproject"
|
||
|
name = "googleapis"
|
||
|
networks = {
|
||
|
landing = var.vpc.self_link
|
||
|
}
|
||
|
rules = {
|
||
|
pubsub = {
|
||
|
dns_name = "pubsub.googleapis.com."
|
||
|
local_data = {
|
||
|
A = {
|
||
|
rrdatas = ["199.36.153.4", "199.36.153.5"]
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
# tftest modules=1 resources=2 inventory=simple.yaml
|
||
|
```
|
||
|
|
||
|
### Use existing policy and override resolution via wildcard with exceptions
|
||
|
|
||
|
This example shows how to create a policy with a single rule, that directs all Google API names except specific ones to the restricted VIP addresses.
|
||
|
|
||
|
```hcl
|
||
|
module "dns-policy" {
|
||
|
source = "./fabric/modules/dns-response-policy"
|
||
|
project_id = "myproject"
|
||
|
name = "googleapis"
|
||
|
policy_create = false
|
||
|
networks = {
|
||
|
landing = var.vpc.self_link
|
||
|
}
|
||
|
rules = {
|
||
|
default = {
|
||
|
dns_name = "*.googleapis.com."
|
||
|
local_data = {
|
||
|
CNAME = {
|
||
|
rrdatas = ["restricted.googleapis.com."]
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
pubsub = {
|
||
|
dns_name = "pubsub.googleapis.com."
|
||
|
}
|
||
|
restricted = {
|
||
|
dns_name = "restricted.googleapis.com."
|
||
|
local_data = {
|
||
|
A = {
|
||
|
rrdatas = ["199.36.153.4", "199.36.153.5"]
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
# tftest modules=1 resources=3 inventory=nocreate.yaml
|
||
|
```
|
||
|
<!-- BEGIN TFDOC -->
|
||
|
|
||
|
## Variables
|
||
|
|
||
|
| name | description | type | required | default |
|
||
|
|---|---|:---:|:---:|:---:|
|
||
|
| [name](variables.tf#L30) | Zone name, must be unique within the project. | <code>string</code> | ✓ | |
|
||
|
| [project_id](variables.tf#L49) | Project id for the zone. | <code>string</code> | ✓ | |
|
||
|
| [clusters](variables.tf#L17) | Map of GKE clusters to which this policy is applied in name => id format. | <code>map(string)</code> | | <code>{}</code> |
|
||
|
| [description](variables.tf#L24) | Policy description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||
|
| [networks](variables.tf#L35) | Map of VPC self links to which this policy is applied in name => self link format. | <code>map(string)</code> | | <code>{}</code> |
|
||
|
| [policy_create](variables.tf#L42) | Set to false to use the existing policy matching name and only manage rules. | <code>bool</code> | | <code>true</code> |
|
||
|
| [rules](variables.tf#L54) | Map of policy rules in name => rule format. Local data takes precedence over behavior and is in the form record type => attributes. | <code title="map(object({ dns_name = string behavior = optional(string, "bypassResponsePolicy") local_data = optional(map(object({ ttl = optional(number) rrdatas = optional(list(string), []) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||
|
|
||
|
## Outputs
|
||
|
|
||
|
| name | description | sensitive |
|
||
|
|---|---|:---:|
|
||
|
| [id](outputs.tf#L17) | Policy id. | |
|
||
|
| [name](outputs.tf#L22) | Policy name. | |
|
||
|
| [policy](outputs.tf#L27) | Policy resource. | |
|
||
|
|
||
|
<!-- END TFDOC -->
|