PGA DNS records (#911)

Additional PGA DNS records
2022-10-25 14:28:28 +02:00 · 2022-10-25 14:28:28 +02:00 · 7b2a82a7d6
parent d0e2f0d59a
commit 7b2a82a7d6
9 changed files with 346 additions and 3 deletions
--- a/fast/stages/02-networking-nva/README.md
+++ b/fast/stages/02-networking-nva/README.md
@ -172,6 +172,13 @@ DNS configuration is further centralized by leveraging peering zones, so that

 - the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
 - the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
+- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
+  - `private.googleapis.com`
+  - `restricted.googleapis.com`
+  - `gcr.io`
+  - `packages.cloud.google.com`
+  - `pkg.dev`
+  - `pki.goog`

 To complete the configuration, the 35.199.192.0/19 range should be routed to the VPN tunnels from on-premises, and the following names should be configured for DNS forwarding to cloud:

--- a/fast/stages/02-networking-nva/dns-landing.tf
+++ b/fast/stages/02-networking-nva/dns-landing.tf
@ -59,7 +59,7 @@ module "gcp-example-dns-private-zone" {
  }
 }

-# Google API zone to trigger Private Access
+# Google APIs

 module "googleapis-private-zone" {
  source     = "../../../modules/dns"
@ -81,3 +81,75 @@ module "googleapis-private-zone" {
    "CNAME *" = { records = ["private.googleapis.com."] }
  }
 }
+
+module "gcrio-private-zone" {
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  type       = "private"
+  name       = "gcr-io"
+  domain     = "gcr.io."
+  client_networks = [
+    module.landing-untrusted-vpc.self_link,
+    module.landing-trusted-vpc.self_link
+  ]
+  recordsets = {
+    "A gcr.io." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "packages-private-zone" {
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  type       = "private"
+  name       = "packages-cloud"
+  domain     = "packages.cloud.google.com."
+  client_networks = [
+    module.landing-untrusted-vpc.self_link,
+    module.landing-trusted-vpc.self_link
+  ]
+  recordsets = {
+    "A packages.cloud.google.com." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "pkgdev-private-zone" {
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  type       = "private"
+  name       = "pkg-dev"
+  domain     = "pkg.dev."
+  client_networks = [
+    module.landing-untrusted-vpc.self_link,
+    module.landing-trusted-vpc.self_link
+  ]
+  recordsets = {
+    "A pkg.dev." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "pkigoog-private-zone" {
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  type       = "private"
+  name       = "pki-goog"
+  domain     = "pki.goog."
+  client_networks = [
+    module.landing-untrusted-vpc.self_link,
+    module.landing-trusted-vpc.self_link
+  ]
+  recordsets = {
+    "A pki.goog." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
--- a/fast/stages/02-networking-peering/README.md
+++ b/fast/stages/02-networking-peering/README.md
@ -102,6 +102,13 @@ DNS configuration is further centralized by leveraging peering zones, so that

 - the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
 - the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
+- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
+  - `private.googleapis.com`
+  - `restricted.googleapis.com`
+  - `gcr.io`
+  - `packages.cloud.google.com`
+  - `pkg.dev`
+  - `pki.goog`

 To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:

--- a/fast/stages/02-networking-peering/dns-landing.tf
+++ b/fast/stages/02-networking-peering/dns-landing.tf
@ -50,7 +50,7 @@ module "gcp-example-dns-private-zone" {
  }
 }

-# Google API zone to trigger Private Access
+# Google APIs

 module "googleapis-private-zone" {
  source          = "../../../modules/dns"
@ -69,3 +69,63 @@ module "googleapis-private-zone" {
    "CNAME *" = { records = ["private.googleapis.com."] }
  }
 }
+
+module "gcrio-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.landing-project.project_id
+  type            = "private"
+  name            = "gcr-io"
+  domain          = "gcr.io."
+  client_networks = [module.landing-vpc.self_link]
+  recordsets = {
+    "A gcr.io." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "packages-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.landing-project.project_id
+  type            = "private"
+  name            = "packages-cloud"
+  domain          = "packages.cloud.google.com."
+  client_networks = [module.landing-vpc.self_link]
+  recordsets = {
+    "A packages.cloud.google.com." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "pkgdev-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.landing-project.project_id
+  type            = "private"
+  name            = "pkg-dev"
+  domain          = "pkg.dev."
+  client_networks = [module.landing-vpc.self_link]
+  recordsets = {
+    "A pkg.dev." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "pkigoog-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.landing-project.project_id
+  type            = "private"
+  name            = "pki-goog"
+  domain          = "pki.goog."
+  client_networks = [module.landing-vpc.self_link]
+  recordsets = {
+    "A pki.goog." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
--- a/fast/stages/02-networking-separate-envs/README.md
+++ b/fast/stages/02-networking-separate-envs/README.md
@ -69,6 +69,13 @@ DNS often goes hand in hand with networking, especially on GCP where Cloud DNS z

 - on-prem to cloud via private zones for cloud-managed domains, and an [inbound policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) used as forwarding target or via delegation (requires some extra configuration) from on-prem DNS resolvers
 - cloud to on-prem via forwarding zones for the on-prem managed domains
+- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
+  - `private.googleapis.com`
+  - `restricted.googleapis.com`
+  - `gcr.io`
+  - `packages.cloud.google.com`
+  - `pkg.dev`
+  - `pki.goog`

 To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:

--- a/fast/stages/02-networking-separate-envs/dns-dev.tf
+++ b/fast/stages/02-networking-separate-envs/dns-dev.tf
@ -50,6 +50,8 @@ module "dev-reverse-10-dns-forwarding" {
  forwarders      = { for ip in var.dns.dev : ip => null }
 }

+# Google APIs
+
 module "dev-googleapis-private-zone" {
  source          = "../../../modules/dns"
  project_id      = module.dev-spoke-project.project_id
@ -67,3 +69,63 @@ module "dev-googleapis-private-zone" {
    "CNAME *" = { records = ["private.googleapis.com."] }
  }
 }
+
+module "dev-gcrio-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.dev-spoke-project.project_id
+  type            = "private"
+  name            = "gcr-io"
+  domain          = "gcr.io."
+  client_networks = [module.dev-spoke-vpc.self_link]
+  recordsets = {
+    "A gcr.io." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "dev-packages-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.dev-spoke-project.project_id
+  type            = "private"
+  name            = "packages-cloud"
+  domain          = "packages.cloud.google.com."
+  client_networks = [module.dev-spoke-vpc.self_link]
+  recordsets = {
+    "A packages.cloud.google.com." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "dev-pkgdev-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.dev-spoke-project.project_id
+  type            = "private"
+  name            = "pkg-dev"
+  domain          = "pkg.dev."
+  client_networks = [module.dev-spoke-vpc.self_link]
+  recordsets = {
+    "A pkg.dev." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "dev-pkigoog-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.dev-spoke-project.project_id
+  type            = "private"
+  name            = "pki-goog"
+  domain          = "pki.goog."
+  client_networks = [module.dev-spoke-vpc.self_link]
+  recordsets = {
+    "A pki.goog." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
--- a/fast/stages/02-networking-separate-envs/dns-prod.tf
+++ b/fast/stages/02-networking-separate-envs/dns-prod.tf
@ -50,6 +50,7 @@ module "prod-reverse-10-dns-forwarding" {
  forwarders      = { for ip in var.dns.prod : ip => null }
 }

+# Google APIs

 module "prod-googleapis-private-zone" {
  source          = "../../../modules/dns"
@ -68,3 +69,63 @@ module "prod-googleapis-private-zone" {
    "CNAME *" = { records = ["private.googleapis.com."] }
  }
 }
+
+module "prod-gcrio-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.prod-spoke-project.project_id
+  type            = "private"
+  name            = "gcr-io"
+  domain          = "gcr.io."
+  client_networks = [module.prod-spoke-vpc.self_link]
+  recordsets = {
+    "A gcr.io." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "prod-packages-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.prod-spoke-project.project_id
+  type            = "private"
+  name            = "packages-cloud"
+  domain          = "packages.cloud.google.com."
+  client_networks = [module.prod-spoke-vpc.self_link]
+  recordsets = {
+    "A packages.cloud.google.com." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "prod-pkgdev-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.prod-spoke-project.project_id
+  type            = "private"
+  name            = "pkg-dev"
+  domain          = "pkg.dev."
+  client_networks = [module.prod-spoke-vpc.self_link]
+  recordsets = {
+    "A pkg.dev." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "prod-pkigoog-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.prod-spoke-project.project_id
+  type            = "private"
+  name            = "pki-goog"
+  domain          = "pki.goog."
+  client_networks = [module.prod-spoke-vpc.self_link]
+  recordsets = {
+    "A pki.goog." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
--- a/fast/stages/02-networking-vpn/README.md
+++ b/fast/stages/02-networking-vpn/README.md
@ -108,6 +108,13 @@ DNS configuration is further centralized by leveraging peering zones, so that

 - the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
 - the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
+- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
+  - `private.googleapis.com`
+  - `restricted.googleapis.com`
+  - `gcr.io`
+  - `packages.cloud.google.com`
+  - `pkg.dev`
+  - `pki.goog`

 To complete the configuration, the 35.199.192.0/19 range should be routed on the VPN tunnels from on-prem, and the following names configured for DNS forwarding to cloud:

--- a/fast/stages/02-networking-vpn/dns-landing.tf
+++ b/fast/stages/02-networking-vpn/dns-landing.tf
@ -50,7 +50,7 @@ module "gcp-example-dns-private-zone" {
  }
 }

-# Google API zone to trigger Private Access
+# Google APIs

 module "googleapis-private-zone" {
  source          = "../../../modules/dns"
@ -69,3 +69,63 @@ module "googleapis-private-zone" {
    "CNAME *" = { records = ["private.googleapis.com."] }
  }
 }
+
+module "gcrio-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.landing-project.project_id
+  type            = "private"
+  name            = "gcr-io"
+  domain          = "gcr.io."
+  client_networks = [module.landing-vpc.self_link]
+  recordsets = {
+    "A gcr.io." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "packages-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.landing-project.project_id
+  type            = "private"
+  name            = "packages-cloud"
+  domain          = "packages.cloud.google.com."
+  client_networks = [module.landing-vpc.self_link]
+  recordsets = {
+    "A packages.cloud.google.com." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "pkgdev-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.landing-project.project_id
+  type            = "private"
+  name            = "pkg-dev"
+  domain          = "pkg.dev."
+  client_networks = [module.landing-vpc.self_link]
+  recordsets = {
+    "A pkg.dev." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}
+
+module "pkigoog-private-zone" {
+  source          = "../../../modules/dns"
+  project_id      = module.landing-project.project_id
+  type            = "private"
+  name            = "pki-goog"
+  domain          = "pki.goog."
+  client_networks = [module.landing-vpc.self_link]
+  recordsets = {
+    "A pki.goog." = { ttl = 300, records = [
+      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+    ] }
+    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+  }
+}