diff --git a/fast/stages/2-networking-a-peering/README.md b/fast/stages/2-networking-a-peering/README.md
index 25d40431..be27cabd 100644
--- a/fast/stages/2-networking-a-peering/README.md
+++ b/fast/stages/2-networking-a-peering/README.md
@@ -366,9 +366,9 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| name | description | modules | resources |
|---|---|---|---|
-| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | |
-| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | |
-| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | |
+| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | google_dns_policy |
+| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | google_dns_policy |
+| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | google_dns_policy |
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | |
| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy |
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
@@ -389,20 +389,20 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables.tf#L42) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables.tf#L50) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap |
-| [folder_ids](variables.tf#L101) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
-| [organization](variables.tf#L121) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables.tf#L137) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
+| [folder_ids](variables.tf#L103) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
+| [organization](variables.tf#L123) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables.tf#L139) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
-| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [groups](variables.tf#L111) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
-| [outputs_location](variables.tf#L131) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
+| [dns](variables.tf#L72) | DNS configuration. | object({…}) | | {} | |
+| [factories_config](variables.tf#L82) | Configuration for network resource factories. | object({…}) | | {…} | |
+| [groups](variables.tf#L113) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
+| [outputs_location](variables.tf#L133) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | object({…}) | | {} | |
-| [psa_ranges](variables.tf#L148) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | |
-| [regions](variables.tf#L167) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables.tf#L179) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
-| [vpn_onprem_primary_config](variables.tf#L193) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
+| [psa_ranges](variables.tf#L150) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | |
+| [regions](variables.tf#L169) | Region definitions. | object({…}) | | {…} | |
+| [service_accounts](variables.tf#L181) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [vpn_onprem_primary_config](variables.tf#L195) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-a-peering/dns-dev.tf b/fast/stages/2-networking-a-peering/dns-dev.tf
index f40281fb..c91e959b 100644
--- a/fast/stages/2-networking-a-peering/dns-dev.tf
+++ b/fast/stages/2-networking-a-peering/dns-dev.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -75,3 +75,15 @@ module "dev-dns-peer-landing-rev-10" {
}
}
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "dev-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.dev-spoke-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.dev-spoke-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-a-peering/dns-landing.tf b/fast/stages/2-networking-a-peering/dns-landing.tf
index dcdb5cee..25fa33e4 100644
--- a/fast/stages/2-networking-a-peering/dns-landing.tf
+++ b/fast/stages/2-networking-a-peering/dns-landing.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -25,13 +25,14 @@ moved {
module "landing-dns-fwd-onprem-example" {
source = "../../../modules/dns"
+ count = length(var.dns.resolvers) > 0 ? 1 : 0
project_id = module.landing-project.project_id
name = "example-com"
zone_config = {
domain = "onprem.example.com."
forwarding = {
client_networks = [module.landing-vpc.self_link]
- forwarders = { for ip in var.dns.onprem : ip => null }
+ forwarders = { for ip in var.dns.resolvers : ip => null }
}
}
}
@@ -43,13 +44,14 @@ moved {
module "landing-dns-fwd-onprem-rev-10" {
source = "../../../modules/dns"
+ count = length(var.dns.resolvers) > 0 ? 1 : 0
project_id = module.landing-project.project_id
name = "root-reverse-10"
zone_config = {
domain = "10.in-addr.arpa."
forwarding = {
client_networks = [module.landing-vpc.self_link]
- forwarders = { for ip in var.dns.onprem : ip => null }
+ forwarders = { for ip in var.dns.resolvers : ip => null }
}
}
}
@@ -85,3 +87,15 @@ module "landing-dns-policy-googleapis" {
}
rules_file = var.factories_config.dns_policy_rules_file
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "landing-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.landing-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.landing-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-a-peering/dns-prod.tf b/fast/stages/2-networking-a-peering/dns-prod.tf
index 6bd34be8..f09e16f9 100644
--- a/fast/stages/2-networking-a-peering/dns-prod.tf
+++ b/fast/stages/2-networking-a-peering/dns-prod.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -75,3 +75,15 @@ module "prod-dns-peer-landing-rev-10" {
}
}
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "prod-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.prod-spoke-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.prod-spoke-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-a-peering/variables.tf b/fast/stages/2-networking-a-peering/variables.tf
index 4def0c3f..6eaa2d45 100644
--- a/fast/stages/2-networking-a-peering/variables.tf
+++ b/fast/stages/2-networking-a-peering/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -70,11 +70,13 @@ variable "custom_roles" {
}
variable "dns" {
- description = "Onprem DNS resolvers."
- type = map(list(string))
- default = {
- onprem = ["10.0.200.3"]
- }
+ description = "DNS configuration."
+ type = object({
+ enable_logging = optional(bool, true)
+ resolvers = optional(list(string), [])
+ })
+ default = {}
+ nullable = false
}
variable "factories_config" {
diff --git a/fast/stages/2-networking-b-vpn/README.md b/fast/stages/2-networking-b-vpn/README.md
index 880f771b..4a440474 100644
--- a/fast/stages/2-networking-b-vpn/README.md
+++ b/fast/stages/2-networking-b-vpn/README.md
@@ -388,9 +388,9 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| name | description | modules | resources |
|---|---|---|---|
-| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | |
-| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | |
-| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | |
+| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | google_dns_policy |
+| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | google_dns_policy |
+| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | google_dns_policy |
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | |
| [monitoring-vpn.tf](./monitoring-vpn.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy |
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
@@ -413,20 +413,20 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables.tf#L42) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables.tf#L50) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap |
-| [folder_ids](variables.tf#L101) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
-| [organization](variables.tf#L121) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables.tf#L137) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
+| [folder_ids](variables.tf#L103) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
+| [organization](variables.tf#L123) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables.tf#L139) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
-| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [groups](variables.tf#L111) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
-| [outputs_location](variables.tf#L131) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L148) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | |
-| [regions](variables.tf#L167) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables.tf#L179) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [dns](variables.tf#L72) | DNS configuration. | object({…}) | | {} | |
+| [factories_config](variables.tf#L82) | Configuration for network resource factories. | object({…}) | | {…} | |
+| [groups](variables.tf#L113) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
+| [outputs_location](variables.tf#L133) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
+| [psa_ranges](variables.tf#L150) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | |
+| [regions](variables.tf#L169) | Region definitions. | object({…}) | | {…} | |
+| [service_accounts](variables.tf#L181) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
| [vpn_configs](variables-vpn.tf#L17) | Hub to spokes VPN configurations. | object({…}) | | {} | |
-| [vpn_onprem_primary_config](variables.tf#L193) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
+| [vpn_onprem_primary_config](variables.tf#L195) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-b-vpn/dns-dev.tf b/fast/stages/2-networking-b-vpn/dns-dev.tf
index f40281fb..c91e959b 100644
--- a/fast/stages/2-networking-b-vpn/dns-dev.tf
+++ b/fast/stages/2-networking-b-vpn/dns-dev.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -75,3 +75,15 @@ module "dev-dns-peer-landing-rev-10" {
}
}
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "dev-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.dev-spoke-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.dev-spoke-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-b-vpn/dns-landing.tf b/fast/stages/2-networking-b-vpn/dns-landing.tf
index dcdb5cee..25fa33e4 100644
--- a/fast/stages/2-networking-b-vpn/dns-landing.tf
+++ b/fast/stages/2-networking-b-vpn/dns-landing.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -25,13 +25,14 @@ moved {
module "landing-dns-fwd-onprem-example" {
source = "../../../modules/dns"
+ count = length(var.dns.resolvers) > 0 ? 1 : 0
project_id = module.landing-project.project_id
name = "example-com"
zone_config = {
domain = "onprem.example.com."
forwarding = {
client_networks = [module.landing-vpc.self_link]
- forwarders = { for ip in var.dns.onprem : ip => null }
+ forwarders = { for ip in var.dns.resolvers : ip => null }
}
}
}
@@ -43,13 +44,14 @@ moved {
module "landing-dns-fwd-onprem-rev-10" {
source = "../../../modules/dns"
+ count = length(var.dns.resolvers) > 0 ? 1 : 0
project_id = module.landing-project.project_id
name = "root-reverse-10"
zone_config = {
domain = "10.in-addr.arpa."
forwarding = {
client_networks = [module.landing-vpc.self_link]
- forwarders = { for ip in var.dns.onprem : ip => null }
+ forwarders = { for ip in var.dns.resolvers : ip => null }
}
}
}
@@ -85,3 +87,15 @@ module "landing-dns-policy-googleapis" {
}
rules_file = var.factories_config.dns_policy_rules_file
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "landing-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.landing-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.landing-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-b-vpn/dns-prod.tf b/fast/stages/2-networking-b-vpn/dns-prod.tf
index 6bd34be8..f09e16f9 100644
--- a/fast/stages/2-networking-b-vpn/dns-prod.tf
+++ b/fast/stages/2-networking-b-vpn/dns-prod.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -75,3 +75,15 @@ module "prod-dns-peer-landing-rev-10" {
}
}
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "prod-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.prod-spoke-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.prod-spoke-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-b-vpn/variables.tf b/fast/stages/2-networking-b-vpn/variables.tf
index 4def0c3f..6eaa2d45 100644
--- a/fast/stages/2-networking-b-vpn/variables.tf
+++ b/fast/stages/2-networking-b-vpn/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -70,11 +70,13 @@ variable "custom_roles" {
}
variable "dns" {
- description = "Onprem DNS resolvers."
- type = map(list(string))
- default = {
- onprem = ["10.0.200.3"]
- }
+ description = "DNS configuration."
+ type = object({
+ enable_logging = optional(bool, true)
+ resolvers = optional(list(string), [])
+ })
+ default = {}
+ nullable = false
}
variable "factories_config" {
diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md
index 67408916..79019c0e 100644
--- a/fast/stages/2-networking-c-nva/README.md
+++ b/fast/stages/2-networking-c-nva/README.md
@@ -436,9 +436,9 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| name | description | modules | resources |
|---|---|---|---|
-| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | |
-| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | |
-| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | |
+| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | google_dns_policy |
+| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | google_dns_policy |
+| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | google_dns_policy |
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | |
| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy |
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
@@ -458,22 +458,22 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables.tf#L42) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables.tf#L50) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap |
-| [folder_ids](variables.tf#L101) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
-| [organization](variables.tf#L144) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables.tf#L160) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
+| [folder_ids](variables.tf#L103) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
+| [organization](variables.tf#L146) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables.tf#L162) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
-| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [gcp_ranges](variables.tf#L111) | GCP address ranges in name => range format. | map(string) | | {…} | |
-| [groups](variables.tf#L126) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
-| [onprem_cidr](variables.tf#L136) | Onprem addresses in name => range format. | map(string) | | {…} | |
-| [outputs_location](variables.tf#L154) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L171) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | |
-| [regions](variables.tf#L190) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables.tf#L202) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
-| [vpn_onprem_primary_config](variables.tf#L216) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
-| [vpn_onprem_secondary_config](variables.tf#L259) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
+| [dns](variables.tf#L72) | DNS configuration. | object({…}) | | {} | |
+| [factories_config](variables.tf#L82) | Configuration for network resource factories. | object({…}) | | {…} | |
+| [gcp_ranges](variables.tf#L113) | GCP address ranges in name => range format. | map(string) | | {…} | |
+| [groups](variables.tf#L128) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
+| [onprem_cidr](variables.tf#L138) | Onprem addresses in name => range format. | map(string) | | {…} | |
+| [outputs_location](variables.tf#L156) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
+| [psa_ranges](variables.tf#L173) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | |
+| [regions](variables.tf#L192) | Region definitions. | object({…}) | | {…} | |
+| [service_accounts](variables.tf#L204) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [vpn_onprem_primary_config](variables.tf#L218) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
+| [vpn_onprem_secondary_config](variables.tf#L261) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-c-nva/dns-dev.tf b/fast/stages/2-networking-c-nva/dns-dev.tf
index ccedee72..11c721fe 100644
--- a/fast/stages/2-networking-c-nva/dns-dev.tf
+++ b/fast/stages/2-networking-c-nva/dns-dev.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -70,3 +70,16 @@ module "dev-dns-peer-landing-rev-10" {
}
}
}
+
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "dev-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.dev-spoke-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.dev-spoke-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-c-nva/dns-landing.tf b/fast/stages/2-networking-c-nva/dns-landing.tf
index 5c8e1777..b93fc08a 100644
--- a/fast/stages/2-networking-c-nva/dns-landing.tf
+++ b/fast/stages/2-networking-c-nva/dns-landing.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -25,6 +25,7 @@ moved {
module "landing-dns-fwd-onprem-example" {
source = "../../../modules/dns"
+ count = length(var.dns.resolvers) > 0 ? 1 : 0
project_id = module.landing-project.project_id
name = "example-com"
zone_config = {
@@ -34,7 +35,7 @@ module "landing-dns-fwd-onprem-example" {
module.landing-untrusted-vpc.self_link,
module.landing-trusted-vpc.self_link
]
- forwarders = { for ip in var.dns.onprem : ip => null }
+ forwarders = { for ip in var.dns.resolvers : ip => null }
}
}
}
@@ -46,6 +47,7 @@ moved {
module "landing-dns-fwd-onprem-rev-10" {
source = "../../../modules/dns"
+ count = length(var.dns.resolvers) > 0 ? 1 : 0
project_id = module.landing-project.project_id
name = "root-reverse-10"
zone_config = {
@@ -55,7 +57,7 @@ module "landing-dns-fwd-onprem-rev-10" {
module.landing-untrusted-vpc.self_link,
module.landing-trusted-vpc.self_link
]
- forwarders = { for ip in var.dns.onprem : ip => null }
+ forwarders = { for ip in var.dns.resolvers : ip => null }
}
}
}
@@ -95,3 +97,18 @@ module "landing-dns-policy-googleapis" {
}
rules_file = var.factories_config.dns_policy_rules_file
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "landing-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.landing-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.landing-trusted-vpc.id
+ }
+ networks {
+ network_url = module.landing-untrusted-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-c-nva/dns-prod.tf b/fast/stages/2-networking-c-nva/dns-prod.tf
index 62cfab03..ea0d3a5d 100644
--- a/fast/stages/2-networking-c-nva/dns-prod.tf
+++ b/fast/stages/2-networking-c-nva/dns-prod.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -70,3 +70,15 @@ module "prod-dns-peer-landing-rev-10" {
}
}
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "prod-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.prod-spoke-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.prod-spoke-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-c-nva/variables.tf b/fast/stages/2-networking-c-nva/variables.tf
index f62547bc..a376ce42 100644
--- a/fast/stages/2-networking-c-nva/variables.tf
+++ b/fast/stages/2-networking-c-nva/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -70,11 +70,13 @@ variable "custom_roles" {
}
variable "dns" {
- description = "Onprem DNS resolvers."
- type = map(list(string))
- default = {
- onprem = ["10.0.200.3"]
- }
+ description = "DNS configuration."
+ type = object({
+ enable_logging = optional(bool, true)
+ resolvers = optional(list(string), [])
+ })
+ default = {}
+ nullable = false
}
variable "factories_config" {
diff --git a/fast/stages/2-networking-d-separate-envs/README.md b/fast/stages/2-networking-d-separate-envs/README.md
index bb3aa4d2..5922ce61 100644
--- a/fast/stages/2-networking-d-separate-envs/README.md
+++ b/fast/stages/2-networking-d-separate-envs/README.md
@@ -313,8 +313,8 @@ Regions are defined via the `regions` variable which sets up a mapping between t
| name | description | modules | resources |
|---|---|---|---|
-| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns · dns-response-policy | |
-| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns · dns-response-policy | |
+| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns · dns-response-policy | google_dns_policy |
+| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns · dns-response-policy | google_dns_policy |
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | |
| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy |
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
@@ -332,20 +332,20 @@ Regions are defined via the `regions` variable which sets up a mapping between t
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables.tf#L42) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables.tf#L50) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap |
-| [folder_ids](variables.tf#L102) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
-| [organization](variables.tf#L122) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables.tf#L138) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
+| [folder_ids](variables.tf#L104) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
+| [organization](variables.tf#L124) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables.tf#L140) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
-| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [factories_config](variables.tf#L81) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [groups](variables.tf#L112) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
-| [outputs_location](variables.tf#L132) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L149) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | |
-| [regions](variables.tf#L168) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables.tf#L178) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
-| [vpn_onprem_dev_primary_config](variables.tf#L192) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | |
-| [vpn_onprem_prod_primary_config](variables.tf#L235) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | |
+| [dns](variables.tf#L72) | DNS configuration. | object({…}) | | {} | |
+| [factories_config](variables.tf#L83) | Configuration for network resource factories. | object({…}) | | {…} | |
+| [groups](variables.tf#L114) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
+| [outputs_location](variables.tf#L134) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
+| [psa_ranges](variables.tf#L151) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | |
+| [regions](variables.tf#L170) | Region definitions. | object({…}) | | {…} | |
+| [service_accounts](variables.tf#L180) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [vpn_onprem_dev_primary_config](variables.tf#L194) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | |
+| [vpn_onprem_prod_primary_config](variables.tf#L237) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-d-separate-envs/dns-dev.tf b/fast/stages/2-networking-d-separate-envs/dns-dev.tf
index bad0db19..cb50147a 100644
--- a/fast/stages/2-networking-d-separate-envs/dns-dev.tf
+++ b/fast/stages/2-networking-d-separate-envs/dns-dev.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -40,13 +40,14 @@ moved {
module "dev-dns-fwd-onprem-example" {
source = "../../../modules/dns"
+ count = length(var.dns.dev_resolvers) > 0 ? 1 : 0
project_id = module.dev-spoke-project.project_id
name = "example-com"
zone_config = {
domain = "onprem.example.com."
forwarding = {
client_networks = [module.dev-spoke-vpc.self_link]
- forwarders = { for ip in var.dns.dev : ip => null }
+ forwarders = { for ip in var.dns.dev_resolvers : ip => null }
}
}
}
@@ -58,13 +59,14 @@ moved {
module "dev-dns-fwd-onprem-rev-10" {
source = "../../../modules/dns"
+ count = length(var.dns.dev_resolvers) > 0 ? 1 : 0
project_id = module.dev-spoke-project.project_id
name = "root-reverse-10"
zone_config = {
domain = "10.in-addr.arpa."
forwarding = {
client_networks = [module.dev-spoke-vpc.self_link]
- forwarders = { for ip in var.dns.dev : ip => null }
+ forwarders = { for ip in var.dns.dev_resolvers : ip => null }
}
}
}
@@ -80,3 +82,15 @@ module "dev-dns-policy-googleapis" {
}
rules_file = var.factories_config.dns_policy_rules_file
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "dev-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.dev-spoke-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.dev-spoke-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-d-separate-envs/dns-prod.tf b/fast/stages/2-networking-d-separate-envs/dns-prod.tf
index 17d3d531..c293196c 100644
--- a/fast/stages/2-networking-d-separate-envs/dns-prod.tf
+++ b/fast/stages/2-networking-d-separate-envs/dns-prod.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -40,13 +40,14 @@ moved {
module "prod-dns-fwd-onprem-example" {
source = "../../../modules/dns"
+ count = length(var.dns.prod_resolvers) > 0 ? 1 : 0
project_id = module.prod-spoke-project.project_id
name = "example-com"
zone_config = {
domain = "onprem.example.com."
forwarding = {
client_networks = [module.prod-spoke-vpc.self_link]
- forwarders = { for ip in var.dns.prod : ip => null }
+ forwarders = { for ip in var.dns.prod_resolvers : ip => null }
}
}
}
@@ -58,13 +59,14 @@ moved {
module "prod-dns-fwd-onprem-rev-10" {
source = "../../../modules/dns"
+ count = length(var.dns.prod_resolvers) > 0 ? 1 : 0
project_id = module.prod-spoke-project.project_id
name = "root-reverse-10"
zone_config = {
domain = "10.in-addr.arpa."
forwarding = {
client_networks = [module.prod-spoke-vpc.self_link]
- forwarders = { for ip in var.dns.prod : ip => null }
+ forwarders = { for ip in var.dns.prod_resolvers : ip => null }
}
}
}
@@ -80,3 +82,15 @@ module "prod-dns-policy-googleapis" {
}
rules_file = var.factories_config.dns_policy_rules_file
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "prod-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.prod-spoke-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.prod-spoke-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-d-separate-envs/variables.tf b/fast/stages/2-networking-d-separate-envs/variables.tf
index 5d0642df..f6dccda0 100644
--- a/fast/stages/2-networking-d-separate-envs/variables.tf
+++ b/fast/stages/2-networking-d-separate-envs/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -70,12 +70,14 @@ variable "custom_roles" {
}
variable "dns" {
- description = "Onprem DNS resolvers."
- type = map(list(string))
- default = {
- prod = ["10.0.1.1"]
- dev = ["10.0.2.1"]
- }
+ description = "DNS configuration."
+ type = object({
+ dev_resolvers = optional(list(string), [])
+ enable_logging = optional(bool, true)
+ prod_resolvers = optional(list(string), [])
+ })
+ default = {}
+ nullable = false
}
variable "factories_config" {
diff --git a/fast/stages/2-networking-e-nva-bgp/README.md b/fast/stages/2-networking-e-nva-bgp/README.md
index 6043e77b..4b684e20 100644
--- a/fast/stages/2-networking-e-nva-bgp/README.md
+++ b/fast/stages/2-networking-e-nva-bgp/README.md
@@ -461,9 +461,9 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| name | description | modules | resources |
|---|---|---|---|
-| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | |
-| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | |
-| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | |
+| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | dns | google_dns_policy |
+| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | dns · dns-response-policy | google_dns_policy |
+| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | dns | google_dns_policy |
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | folder · net-firewall-policy | |
| [monitoring-vpn-onprem.tf](./monitoring-vpn-onprem.tf) | VPN monitoring alerts. | | google_monitoring_alert_policy |
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
@@ -484,24 +484,24 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables.tf#L42) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables.tf#L50) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap |
-| [folder_ids](variables.tf#L101) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
-| [organization](variables.tf#L155) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables.tf#L171) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
+| [folder_ids](variables.tf#L103) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
+| [organization](variables.tf#L157) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables.tf#L173) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
-| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [gcp_ranges](variables.tf#L111) | GCP address ranges in name => range format. | map(string) | | {…} | |
-| [groups](variables.tf#L126) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
-| [ncc_asn](variables.tf#L136) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | |
-| [onprem_cidr](variables.tf#L147) | Onprem addresses in name => range format. | map(string) | | {…} | |
-| [outputs_location](variables.tf#L165) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L182) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | |
-| [regions](variables.tf#L201) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables.tf#L213) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
-| [vpn_onprem_primary_config](variables.tf#L227) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
-| [vpn_onprem_secondary_config](variables.tf#L270) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
-| [zones](variables.tf#L313) | Zones in which NVAs are deployed. | list(string) | | ["b", "c"] | |
+| [dns](variables.tf#L72) | DNS configuration. | object({…}) | | {} | |
+| [factories_config](variables.tf#L82) | Configuration for network resource factories. | object({…}) | | {…} | |
+| [gcp_ranges](variables.tf#L113) | GCP address ranges in name => range format. | map(string) | | {…} | |
+| [groups](variables.tf#L128) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
+| [ncc_asn](variables.tf#L138) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | |
+| [onprem_cidr](variables.tf#L149) | Onprem addresses in name => range format. | map(string) | | {…} | |
+| [outputs_location](variables.tf#L167) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
+| [psa_ranges](variables.tf#L184) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | |
+| [regions](variables.tf#L203) | Region definitions. | object({…}) | | {…} | |
+| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [vpn_onprem_primary_config](variables.tf#L229) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
+| [vpn_onprem_secondary_config](variables.tf#L272) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
+| [zones](variables.tf#L315) | Zones in which NVAs are deployed. | list(string) | | ["b", "c"] | |
## Outputs
diff --git a/fast/stages/2-networking-e-nva-bgp/dns-dev.tf b/fast/stages/2-networking-e-nva-bgp/dns-dev.tf
index ccedee72..11c721fe 100644
--- a/fast/stages/2-networking-e-nva-bgp/dns-dev.tf
+++ b/fast/stages/2-networking-e-nva-bgp/dns-dev.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -70,3 +70,16 @@ module "dev-dns-peer-landing-rev-10" {
}
}
}
+
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "dev-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.dev-spoke-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.dev-spoke-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-e-nva-bgp/dns-landing.tf b/fast/stages/2-networking-e-nva-bgp/dns-landing.tf
index 5c8e1777..b93fc08a 100644
--- a/fast/stages/2-networking-e-nva-bgp/dns-landing.tf
+++ b/fast/stages/2-networking-e-nva-bgp/dns-landing.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -25,6 +25,7 @@ moved {
module "landing-dns-fwd-onprem-example" {
source = "../../../modules/dns"
+ count = length(var.dns.resolvers) > 0 ? 1 : 0
project_id = module.landing-project.project_id
name = "example-com"
zone_config = {
@@ -34,7 +35,7 @@ module "landing-dns-fwd-onprem-example" {
module.landing-untrusted-vpc.self_link,
module.landing-trusted-vpc.self_link
]
- forwarders = { for ip in var.dns.onprem : ip => null }
+ forwarders = { for ip in var.dns.resolvers : ip => null }
}
}
}
@@ -46,6 +47,7 @@ moved {
module "landing-dns-fwd-onprem-rev-10" {
source = "../../../modules/dns"
+ count = length(var.dns.resolvers) > 0 ? 1 : 0
project_id = module.landing-project.project_id
name = "root-reverse-10"
zone_config = {
@@ -55,7 +57,7 @@ module "landing-dns-fwd-onprem-rev-10" {
module.landing-untrusted-vpc.self_link,
module.landing-trusted-vpc.self_link
]
- forwarders = { for ip in var.dns.onprem : ip => null }
+ forwarders = { for ip in var.dns.resolvers : ip => null }
}
}
}
@@ -95,3 +97,18 @@ module "landing-dns-policy-googleapis" {
}
rules_file = var.factories_config.dns_policy_rules_file
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "landing-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.landing-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.landing-trusted-vpc.id
+ }
+ networks {
+ network_url = module.landing-untrusted-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-e-nva-bgp/dns-prod.tf b/fast/stages/2-networking-e-nva-bgp/dns-prod.tf
index 62cfab03..ea0d3a5d 100644
--- a/fast/stages/2-networking-e-nva-bgp/dns-prod.tf
+++ b/fast/stages/2-networking-e-nva-bgp/dns-prod.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -70,3 +70,15 @@ module "prod-dns-peer-landing-rev-10" {
}
}
}
+
+# DNS policy to enable query logging
+
+resource "google_dns_policy" "prod-dns-logging-policy" {
+ name = "logging-policy"
+ count = var.dns.enable_logging ? 1 : 0
+ project = module.prod-spoke-project.project_id
+ enable_logging = true
+ networks {
+ network_url = module.prod-spoke-vpc.id
+ }
+}
diff --git a/fast/stages/2-networking-e-nva-bgp/variables.tf b/fast/stages/2-networking-e-nva-bgp/variables.tf
index d634974d..fd2c055e 100644
--- a/fast/stages/2-networking-e-nva-bgp/variables.tf
+++ b/fast/stages/2-networking-e-nva-bgp/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -70,11 +70,13 @@ variable "custom_roles" {
}
variable "dns" {
- description = "Onprem DNS resolvers."
- type = map(list(string))
- default = {
- onprem = ["10.0.200.3"]
- }
+ description = "DNS configuration."
+ type = object({
+ enable_logging = optional(bool, true)
+ resolvers = optional(list(string), [])
+ })
+ default = {}
+ nullable = false
}
variable "factories_config" {
diff --git a/tests/fast/stages/s2_networking_a_peering/common.tfvars b/tests/fast/stages/s2_networking_a_peering/common.tfvars
index af41a2a2..b46a10ab 100644
--- a/tests/fast/stages/s2_networking_a_peering/common.tfvars
+++ b/tests/fast/stages/s2_networking_a_peering/common.tfvars
@@ -7,6 +7,10 @@ billing_account = {
custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
+dns = {
+ resolvers = ["10.10.10.10"]
+ enable_logging = true
+}
folder_ids = {
networking = null
networking-dev = null
diff --git a/tests/fast/stages/s2_networking_a_peering/stage.yaml b/tests/fast/stages/s2_networking_a_peering/stage.yaml
index 3ee8b990..a6dad52d 100644
--- a/tests/fast/stages/s2_networking_a_peering/stage.yaml
+++ b/tests/fast/stages/s2_networking_a_peering/stage.yaml
@@ -14,4 +14,4 @@
counts:
modules: 29
- resources: 151
+ resources: 154
diff --git a/tests/fast/stages/s2_networking_b_vpn/common.tfvars b/tests/fast/stages/s2_networking_b_vpn/common.tfvars
index 271eb2c0..1aa1f51f 100644
--- a/tests/fast/stages/s2_networking_b_vpn/common.tfvars
+++ b/tests/fast/stages/s2_networking_b_vpn/common.tfvars
@@ -7,6 +7,10 @@ billing_account = {
custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
+dns = {
+ resolvers = ["10.10.10.10"]
+ enable_logging = true
+}
folder_ids = {
networking = null
networking-dev = null
diff --git a/tests/fast/stages/s2_networking_b_vpn/stage.yaml b/tests/fast/stages/s2_networking_b_vpn/stage.yaml
index af6e5cac..712fe3ee 100644
--- a/tests/fast/stages/s2_networking_b_vpn/stage.yaml
+++ b/tests/fast/stages/s2_networking_b_vpn/stage.yaml
@@ -14,4 +14,4 @@
counts:
modules: 31
- resources: 188
+ resources: 191
diff --git a/tests/fast/stages/s2_networking_c_nva/common.tfvars b/tests/fast/stages/s2_networking_c_nva/common.tfvars
index d6fd06d7..8660ee8f 100644
--- a/tests/fast/stages/s2_networking_c_nva/common.tfvars
+++ b/tests/fast/stages/s2_networking_c_nva/common.tfvars
@@ -7,6 +7,10 @@ billing_account = {
custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
+dns = {
+ resolvers = ["10.10.10.10"]
+ enable_logging = true
+}
folder_ids = {
networking = null
networking-dev = null
diff --git a/tests/fast/stages/s2_networking_c_nva/stage.yaml b/tests/fast/stages/s2_networking_c_nva/stage.yaml
index 01527c99..8b785567 100644
--- a/tests/fast/stages/s2_networking_c_nva/stage.yaml
+++ b/tests/fast/stages/s2_networking_c_nva/stage.yaml
@@ -14,4 +14,4 @@
counts:
modules: 43
- resources: 199
+ resources: 202
diff --git a/tests/fast/stages/s2_networking_d_separate_envs/common.tfvars b/tests/fast/stages/s2_networking_d_separate_envs/common.tfvars
index 8e641e33..b7d966a2 100644
--- a/tests/fast/stages/s2_networking_d_separate_envs/common.tfvars
+++ b/tests/fast/stages/s2_networking_d_separate_envs/common.tfvars
@@ -7,6 +7,11 @@ billing_account = {
custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
+dns = {
+ dev_resolvers = ["10.10.10.10"]
+ prod_resolvers = ["10.20.10.10"]
+ enable_logging = true
+}
folder_ids = {
networking = null
networking-dev = null
diff --git a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
index 1c560f76..6df5c894 100644
--- a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
+++ b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
@@ -14,4 +14,4 @@
counts:
modules: 22
- resources: 172
+ resources: 174
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/common.tfvars b/tests/fast/stages/s2_networking_e_nva_bgp/common.tfvars
index d6fd06d7..8660ee8f 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/common.tfvars
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/common.tfvars
@@ -7,6 +7,10 @@ billing_account = {
custom_roles = {
service_project_network_admin = "organizations/123456789012/roles/foo"
}
+dns = {
+ resolvers = ["10.10.10.10"]
+ enable_logging = true
+}
folder_ids = {
networking = null
networking-dev = null
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
index dad42420..afc9acd5 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
@@ -14,4 +14,4 @@
counts:
modules: 37
- resources: 210
+ resources: 213