From b0d32af600dc49660e25c2c4932193e22c2f7828 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Tue, 1 Feb 2022 18:32:47 +0100 Subject: [PATCH] Experimental module to derive DNS inbound policy addresses (#482) * first version * add README --- .../net-dns-policy-address/README.md | 35 +++++++++++++++++++ .../net-dns-policy-address/main.tf | 35 +++++++++++++++++++ .../net-dns-policy-address/outputs.tf | 31 ++++++++++++++++ .../net-dns-policy-address/variables.tf | 27 ++++++++++++++ 4 files changed, 128 insertions(+) create mode 100644 modules/__experimental/net-dns-policy-address/README.md create mode 100644 modules/__experimental/net-dns-policy-address/main.tf create mode 100644 modules/__experimental/net-dns-policy-address/outputs.tf create mode 100644 modules/__experimental/net-dns-policy-address/variables.tf diff --git a/modules/__experimental/net-dns-policy-address/README.md b/modules/__experimental/net-dns-policy-address/README.md new file mode 100644 index 00000000..bf345a9b --- /dev/null +++ b/modules/__experimental/net-dns-policy-address/README.md @@ -0,0 +1,35 @@ +# Google Cloud DNS Inbound Policy Addresses + +This module allows discovering the addresses reserved in subnets when [DNS Inbound Policies](https://cloud.google.com/dns/docs/policies) are configured. + +Since it's currently impossible to fetch those addresses using a GCP data source (see [this issue](https://github.com/hashicorp/terraform-provider-google/issues/3753) for more details), the workaround used here is to derive the authorization token from the Google provider, and do a direct HTTP call to the Compute API. + +## Examples + +```hcl +module "dns-policy-addresses" { + source = "./modules/_experimental/net-dns-policy-addresses" + project_id = "myproject" + regions = ["europe-west1", "europe-west3"] +} +# tftest skip +``` + +The output is a map with lists of addresses of type `DNS_RESOLVER` for each region specified in variables. + + + +## Variables + +| name | description | type | required | default | +|---|---|:---:|:---:|:---:| +| [project_id](variables.tf#L17) | Project id. | string | ✓ | | +| [regions](variables.tf#L22) | Regions to fetch addresses from. | list(string) | | ["europe-west1"] | + +## Outputs + +| name | description | sensitive | +|---|---|:---:| +| [addresses](outputs.tf#L24) | DNS inbound policy addresses per region. | | + + diff --git a/modules/__experimental/net-dns-policy-address/main.tf b/modules/__experimental/net-dns-policy-address/main.tf new file mode 100644 index 00000000..1a5079ef --- /dev/null +++ b/modules/__experimental/net-dns-policy-address/main.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + url = format( + "https://content-compute.googleapis.com/compute/v1/projects/%s", + var.project_id + ) +} + +data "google_client_config" "current" { +} + +data "http" "addresses" { + for_each = toset(var.regions) + url = "${local.url}/regions/${each.key}/addresses?filter=purpose%20%3D%20%22DNS_RESOLVER%22" + + # Optional request headers + request_headers = { + Authorization = "Bearer ${data.google_client_config.current.access_token}" + } +} diff --git a/modules/__experimental/net-dns-policy-address/outputs.tf b/modules/__experimental/net-dns-policy-address/outputs.tf new file mode 100644 index 00000000..d379f268 --- /dev/null +++ b/modules/__experimental/net-dns-policy-address/outputs.tf @@ -0,0 +1,31 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + region_addresses = { + for k, v in data.http.addresses : k => try(jsondecode(v.body), {}) + } +} + + +output "addresses" { + description = "DNS inbound policy addresses per region." + value = { + for k, v in local.region_addresses : k => [ + for i in try(v.items, []) : i.address + ] + } +} diff --git a/modules/__experimental/net-dns-policy-address/variables.tf b/modules/__experimental/net-dns-policy-address/variables.tf new file mode 100644 index 00000000..1b80d160 --- /dev/null +++ b/modules/__experimental/net-dns-policy-address/variables.tf @@ -0,0 +1,27 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "Project id." + type = string +} + +variable "regions" { + description = "Regions to fetch addresses from." + nullable = false + type = list(string) + default = ["europe-west1"] +}