Refactoring of dns module

2023-07-18 19:32:57 +02:00 · 2023-07-18 19:32:57 +02:00 · cacb0c02e2
parent d16b616821
commit cacb0c02e2
60 changed files with 858 additions and 836 deletions
--- a/blueprints/cloud-operations/dns-fine-grained-iam/README.md
+++ b/blueprints/cloud-operations/dns-fine-grained-iam/README.md
@ -128,5 +128,5 @@ module "test1" {
  project_create = true
  project_id     = "test"
 }
-# tftest modules=9 resources=27
+# tftest modules=9 resources=28
 ```
--- a/blueprints/cloud-operations/dns-fine-grained-iam/main.tf
+++ b/blueprints/cloud-operations/dns-fine-grained-iam/main.tf
@ -58,13 +58,16 @@ module "nat-a" {
 }

 module "dns-service-zone" {
-  source                      = "../../../modules/dns"
-  project_id                  = module.project.project_id
-  type                        = "service-directory"
-  name                        = var.name
-  domain                      = var.zone_domain
-  client_networks             = [module.vpc.self_link]
-  service_directory_namespace = module.service-directory.id
+  source     = "../../../modules/dns"
+  project_id = module.project.project_id
+  name       = var.name
+  zone_config = {
+    domain = var.zone_domain
+    private = {
+      client_networks             = [module.vpc.self_link]
+      service_directory_namespace = module.service-directory.id
+    }
+  }
 }

 module "service-directory" {
--- a/blueprints/cloud-operations/dns-shared-vpc/README.md
+++ b/blueprints/cloud-operations/dns-shared-vpc/README.md
@ -51,5 +51,5 @@ module "test" {
  shared_vpc_link    = "https://www.googleapis.com/compute/v1/projects/test-dns/global/networks/default"
  teams              = ["team1", "team2"]
 }
-# tftest modules=9 resources=16
+# tftest modules=9 resources=20
 ```
--- a/blueprints/cloud-operations/dns-shared-vpc/main.tf
+++ b/blueprints/cloud-operations/dns-shared-vpc/main.tf
@ -39,24 +39,30 @@ module "vpc" {
 }

 module "dns-private" {
-  source          = "../../../modules/dns"
-  for_each        = local.projects
-  project_id      = each.value
-  type            = "private"
-  name            = each.key
-  domain          = "${each.key}.${var.dns_domain}."
-  description     = "DNS zone for ${each.key}"
-  client_networks = [module.vpc[each.key].self_link]
+  source      = "../../../modules/dns"
+  for_each    = local.projects
+  project_id  = each.value
+  name        = each.key
+  description = "DNS zone for ${each.key}"
+  zone_config = {
+    domain = "${each.key}.${var.dns_domain}."
+    private = {
+      client_networks = [module.vpc[each.key].self_link]
+    }
+  }
 }

 module "dns-peering" {
-  source          = "../../../modules/dns"
-  for_each        = local.projects
-  project_id      = local.svpc_project_id
-  name            = "peering-${each.key}"
-  domain          = "${each.key}.${var.dns_domain}."
-  description     = "DNS peering for ${each.key}"
-  type            = "peering"
-  peer_network    = module.vpc[each.key].self_link
-  client_networks = [var.shared_vpc_link]
+  source      = "../../../modules/dns"
+  for_each    = local.projects
+  project_id  = local.svpc_project_id
+  name        = "peering-${each.key}"
+  description = "DNS peering for ${each.key}"
+  zone_config = {
+    domain = "${each.key}.${var.dns_domain}."
+    peering = {
+      peer_network    = module.vpc[each.key].self_link
+      client_networks = [var.shared_vpc_link]
+    }
+  }
 }
--- a/blueprints/factories/project-factory/README.md
+++ b/blueprints/factories/project-factory/README.md
@ -76,7 +76,7 @@ module "projects" {
  service_identities_iam = try(each.value.service_identities_iam, {})
  vpc                    = try(each.value.vpc, null)
 }
-# tftest modules=7 resources=34 inventory=example.yaml
+# tftest modules=7 resources=36 inventory=example.yaml
 ```

 ### Projects configuration
--- a/blueprints/factories/project-factory/main.tf
+++ b/blueprints/factories/project-factory/main.tf
@ -167,13 +167,16 @@ module "billing-alert" {
 }

 module "dns" {
-  source          = "../../../modules/dns"
-  for_each        = toset(var.dns_zones)
-  project_id      = coalesce(local.vpc.host_project, module.project.project_id)
-  type            = "private"
-  name            = each.value
-  domain          = "${each.value}.${var.defaults.environment_dns_zone}"
-  client_networks = [var.defaults.shared_vpc_self_link]
+  source     = "../../../modules/dns"
+  for_each   = toset(var.dns_zones)
+  project_id = coalesce(local.vpc.host_project, module.project.project_id)
+  name       = each.value
+  zone_config = {
+    domain = "${each.value}.${var.defaults.environment_dns_zone}"
+    private = {
+      client_networks = [var.defaults.shared_vpc_self_link]
+    }
+  }
 }

 module "project" {
--- a/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf
+++ b/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf
@ -157,12 +157,15 @@ module "nat2" {
 ################################################################################

 module "dns-gcp" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "private"
-  name            = "gcp-example"
-  domain          = "gcp.example.org."
-  client_networks = [module.vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "gcp-example"
+  zone_config = {
+    domain = "gcp.example.org."
+    private = {
+      client_networks = [module.vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
    "A test-1"    = { records = [module.vm-test1.internal_ip] }
@ -171,12 +174,15 @@ module "dns-gcp" {
 }

 module "dns-api" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "private"
-  name            = "googleapis"
-  domain          = "googleapis.com."
-  client_networks = [module.vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "googleapis"
+  zone_config = {
+    domain = "googleapis.com."
+    private = {
+      client_networks = [module.vpc.self_link]
+    }
+  }
  recordsets = {
    "CNAME *"      = { records = ["private.googleapis.com."] }
    "A private"    = { records = local.vips.private }
@ -185,14 +191,17 @@ module "dns-api" {
 }

 module "dns-onprem" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "forwarding"
-  name            = "onprem-example"
-  domain          = "onprem.example.org."
-  client_networks = [module.vpc.self_link]
-  forwarders = {
-    "${cidrhost(var.ip_ranges.onprem, 3)}" = null
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "onprem-example"
+  zone_config = {
+    domain = "onprem.example.org."
+    forwarding = {
+      client_networks = [module.vpc.self_link]
+      forwarders = {
+        "${cidrhost(var.ip_ranges.onprem, 3)}" = null
+      }
+    }
  }
 }

--- a/blueprints/networking/decentralized-firewall/README.md
+++ b/blueprints/networking/decentralized-firewall/README.md
@ -51,5 +51,5 @@ module "test" {
  root_node          = "organizations/0123456789"
 }

-# tftest modules=9 resources=54
+# tftest modules=9 resources=56
 ```
--- a/blueprints/networking/decentralized-firewall/main.tf
+++ b/blueprints/networking/decentralized-firewall/main.tf
@ -77,24 +77,30 @@ module "vpc-dev" {
 ###############################################################################

 module "dns-api-prod" {
-  source          = "../../../modules/dns"
-  project_id      = module.project-host-prod.project_id
-  type            = "private"
-  name            = "googleapis"
-  domain          = "googleapis.com."
-  client_networks = [module.vpc-prod.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project-host-prod.project_id
+  name       = "googleapis"
+  zone_config = {
+    domain = "googleapis.com."
+    private = {
+      client_networks = [module.vpc-prod.self_link]
+    }
+  }
  recordsets = {
    "CNAME *" = { records = ["private.googleapis.com."] }
  }
 }

 module "dns-api-dev" {
-  source          = "../../../modules/dns"
-  project_id      = module.project-host-dev.project_id
-  type            = "private"
-  name            = "googleapis"
-  domain          = "googleapis.com."
-  client_networks = [module.vpc-dev.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project-host-dev.project_id
+  name       = "googleapis"
+  zone_config = {
+    domain = "googleapis.com."
+    private = {
+      client_networks = [module.vpc-dev.self_link]
+    }
+  }
  recordsets = {
    "CNAME *" = { records = ["private.googleapis.com."] }
  }
--- a/blueprints/networking/filtering-proxy-psc/README.md
+++ b/blueprints/networking/filtering-proxy-psc/README.md
@ -40,5 +40,5 @@ module "test" {
  }
  project_id = "test-project"
 }
-# tftest modules=13 resources=41
+# tftest modules=13 resources=42
 ```
--- a/blueprints/networking/filtering-proxy-psc/consumer.tf
+++ b/blueprints/networking/filtering-proxy-psc/consumer.tf
@ -81,12 +81,15 @@ resource "google_compute_forwarding_rule" "psc_ilb_consumer" {
 ###############################################################################

 module "private-dns" {
-  source          = "../../../modules/dns"
-  project_id      = module.project.project_id
-  type            = "private"
-  name            = "${var.prefix}-internal"
-  domain          = "internal."
-  client_networks = [module.vpc-consumer.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project.project_id
+  name       = "${var.prefix}-internal"
+  zone_config = {
+    domain = "internal."
+    private = {
+      client_networks = [module.vpc-consumer.self_link]
+    }
+  }
  recordsets = {
    "A squid"     = { ttl = 60, records = [google_compute_address.psc_endpoint_address.address] }
    "CNAME proxy" = { ttl = 3600, records = ["squid.internal."] }
--- a/blueprints/networking/filtering-proxy/README.md
+++ b/blueprints/networking/filtering-proxy/README.md
@ -47,7 +47,7 @@ module "test1" {
  prefix          = "fabric"
  root_node       = "folders/123456789"
 }
-# tftest modules=14 resources=38
+# tftest modules=14 resources=39
 ```

 ```hcl
@ -58,5 +58,5 @@ module "test2" {
  prefix          = "fabric"
  root_node       = "folders/123456789"
 }
-# tftest modules=12 resources=32
+# tftest modules=12 resources=33
 ```
--- a/blueprints/networking/filtering-proxy/main.tf
+++ b/blueprints/networking/filtering-proxy/main.tf
@ -114,12 +114,15 @@ module "nat" {
 }

 module "private-dns" {
-  source          = "../../../modules/dns"
-  project_id      = module.project-host.project_id
-  type            = "private"
-  name            = "internal"
-  domain          = "internal."
-  client_networks = [module.vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project-host.project_id
+  name       = "internal"
+  zone_config = {
+    domain = "internal."
+    private = {
+      client_networks = [module.vpc.self_link]
+    }
+  }
  recordsets = {
    "A squid"     = { ttl = 60, records = [local.squid_address] }
    "CNAME proxy" = { ttl = 3600, records = ["squid.internal."] }
--- a/blueprints/networking/hub-and-spoke-vpn/README.md
+++ b/blueprints/networking/hub-and-spoke-vpn/README.md
@ -114,5 +114,5 @@ module "test" {
  project_id = "project-1"
 }

-# tftest modules=20 resources=79
+# tftest modules=20 resources=84
 ```
--- a/blueprints/networking/hub-and-spoke-vpn/net-dev.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/net-dev.tf
@ -48,22 +48,28 @@ module "dev-firewall" {
 }

 module "dev-dns-peering" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "peering"
-  name            = "${var.prefix}-example-com-dev-peering"
-  domain          = "example.com."
-  client_networks = [module.dev-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "${var.prefix}-example-com-dev-peering"
+  zone_config = {
+    domain = "example.com."
+    peering = {
+      client_networks = [module.dev-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }

 module "dev-dns-zone" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "private"
-  name            = "${var.prefix}-dev-example-com"
-  domain          = "dev.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "${var.prefix}-dev-example-com"
+  zone_config = {
+    domain = "dev.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
    "A test-r2"   = { records = [module.dev-r2-vm.internal_ip] }
--- a/blueprints/networking/hub-and-spoke-vpn/net-landing.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/net-landing.tf
@ -48,12 +48,15 @@ module "landing-firewall" {
 }

 module "landing-dns-zone" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "private"
-  name            = "${var.prefix}-example-com"
-  domain          = "example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "${var.prefix}-example-com"
+  zone_config = {
+    domain = "example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
    "A test-r1"   = { records = [module.landing-r1-vm.internal_ip] }
--- a/blueprints/networking/hub-and-spoke-vpn/net-prod.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/net-prod.tf
@ -48,22 +48,28 @@ module "prod-firewall" {
 }

 module "prod-dns-peering" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "peering"
-  name            = "${var.prefix}-example-com-prd-peering"
-  domain          = "example.com."
-  client_networks = [module.prod-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "${var.prefix}-example-com-prd-peering"
+  zone_config = {
+    domain = "example.com."
+    peering = {
+      client_networks = [module.prod-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }

 module "prod-dns-zone" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "private"
-  name            = "${var.prefix}-prd-example-com"
-  domain          = "prd.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "${var.prefix}-prd-example-com"
+  zone_config = {
+    domain = "prd.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
    "A test-r1"   = { records = [module.prod-r1-vm.internal_ip] }
--- a/blueprints/networking/private-cloud-function-from-onprem/README.md
+++ b/blueprints/networking/private-cloud-function-from-onprem/README.md
@ -45,5 +45,5 @@ module "test" {
  }
  project_id = "test-project"
 }
-# tftest modules=11 resources=44
+# tftest modules=11 resources=45
 ```
--- a/blueprints/networking/private-cloud-function-from-onprem/main.tf
+++ b/blueprints/networking/private-cloud-function-from-onprem/main.tf
@ -199,12 +199,15 @@ module "function-hello" {
 ###############################################################################

 module "private-dns-onprem" {
-  source          = "../../../modules/dns"
-  project_id      = module.project.project_id
-  type            = "private"
-  name            = var.name
-  domain          = "${var.region}-${module.project.project_id}.cloudfunctions.net."
-  client_networks = [module.vpc-onprem.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project.project_id
+  name       = var.name
+  zone_config = {
+    domain = "${var.region}-${module.project.project_id}.cloudfunctions.net."
+    private = {
+      client_networks = [module.vpc-onprem.self_link]
+    }
+  }
  recordsets = {
    "A " = { records = [module.addresses.psc_addresses[local.psc_name].address] }
  }
--- a/blueprints/networking/shared-vpc-gke/README.md
+++ b/blueprints/networking/shared-vpc-gke/README.md
@ -80,5 +80,5 @@ module "test" {
  prefix             = "test"
  root_node          = "organizations/0123456789"
 }
-# tftest modules=11 resources=45
+# tftest modules=11 resources=46
 ```
--- a/blueprints/networking/shared-vpc-gke/main.tf
+++ b/blueprints/networking/shared-vpc-gke/main.tf
@ -152,12 +152,15 @@ module "nat" {
 ################################################################################

 module "host-dns" {
-  source          = "../../../modules/dns"
-  project_id      = module.project-host.project_id
-  type            = "private"
-  name            = "example"
-  domain          = "example.com."
-  client_networks = [module.vpc-shared.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project-host.project_id
+  name       = "example"
+  zone_config = {
+    domain = "example.com."
+    private = {
+      client_networks = [module.vpc-shared.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
    "A bastion"   = { records = [module.vm-bastion.internal_ip] }
--- a/blueprints/serverless/cloud-run-corporate/README.md
+++ b/blueprints/serverless/cloud-run-corporate/README.md
@ -252,7 +252,7 @@ module "test" {
  prj_onprem_id = "onprem-project-id"
 }

-# tftest modules=15 resources=50
+# tftest modules=15 resources=52
 ```

 ```hcl
@ -276,7 +276,7 @@ module "test" {
  tf_identity = "user@example.org"
 }

-# tftest modules=15 resources=36
+# tftest modules=15 resources=38
 ```

 ```hcl
@ -295,5 +295,5 @@ module "test" {
  custom_domain = "cloud-run-corporate.example.org"
 }

-# tftest modules=14 resources=45
+# tftest modules=14 resources=47
 ```
--- a/blueprints/serverless/cloud-run-corporate/main.tf
+++ b/blueprints/serverless/cloud-run-corporate/main.tf
@ -490,51 +490,63 @@ module "vm_test_svc1" {
 ###############################################################################

 module "private_dns_main" {
-  source          = "../../../modules/dns"
-  project_id      = module.project_main.project_id
-  type            = "private"
-  name            = "dns-main"
-  client_networks = [module.vpc_main.self_link]
-  domain          = local.cloud_run_domain
+  source     = "../../../modules/dns"
+  project_id = module.project_main.project_id
+  name       = "dns-main"
+  zone_config = {
+    domain = local.cloud_run_domain
+    private = {
+      client_networks = [module.vpc_main.self_link]
+    }
+  }
  recordsets = {
    "A *" = { records = [module.psc_addr_main.psc_addresses["psc-addr"].address] }
  }
 }

 module "private_dns_main_custom" {
-  source          = "../../../modules/dns"
-  count           = var.custom_domain == null ? 0 : 1
-  project_id      = module.project_main.project_id
-  type            = "private"
-  name            = "dns-main-custom"
-  client_networks = [module.vpc_main.self_link]
-  domain          = format("%s.", var.custom_domain)
+  source     = "../../../modules/dns"
+  count      = var.custom_domain == null ? 0 : 1
+  project_id = module.project_main.project_id
+  name       = "dns-main-custom"
+  zone_config = {
+    domain = format("%s.", var.custom_domain)
+    private = {
+      client_networks = [module.vpc_main.self_link]
+    }
+  }
  recordsets = {
    "A " = { records = [module.ilb-l7[0].address] }
  }
 }

 module "private_dns_onprem" {
-  source          = "../../../modules/dns"
-  count           = length(module.project_onprem)
-  project_id      = module.project_onprem[0].project_id
-  type            = "private"
-  name            = "dns-onprem"
-  client_networks = [module.vpc_onprem[0].self_link]
-  domain          = local.cloud_run_domain
+  source     = "../../../modules/dns"
+  count      = length(module.project_onprem)
+  project_id = module.project_onprem[0].project_id
+  name       = "dns-onprem"
+  zone_config = {
+    domain = local.cloud_run_domain
+    private = {
+      client_networks = [module.vpc_onprem[0].self_link]
+    }
+  }
  recordsets = {
    "A *" = { records = [module.psc_addr_main.psc_addresses["psc-addr"].address] }
  }
 }

 module "private_dns_prj1" {
-  source          = "../../../modules/dns"
-  count           = length(module.project_prj1)
-  project_id      = module.project_prj1[0].project_id
-  type            = "private"
-  name            = "dns-prj1"
-  client_networks = [module.vpc_prj1[0].self_link]
-  domain          = local.cloud_run_domain
+  source     = "../../../modules/dns"
+  count      = length(module.project_prj1)
+  project_id = module.project_prj1[0].project_id
+  name       = "dns-prj1"
+  zone_config = {
+    domain = local.cloud_run_domain
+    private = {
+      client_networks = [module.vpc_prj1[0].self_link]
+    }
+  }
  recordsets = {
    "A *" = { records = [module.psc_addr_prj1[0].psc_addresses["psc-addr"].address] }
  }
--- a/fast/stages/2-networking-a-peering/dns-dev.tf
+++ b/fast/stages/2-networking-a-peering/dns-dev.tf
@ -24,12 +24,15 @@ moved {
 }

 module "dev-dns-priv-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "private"
-  name            = "dev-gcp-example-com"
-  domain          = "dev.gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-gcp-example-com"
+  zone_config = {
+    domain = "dev.gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
@ -43,13 +46,16 @@ moved {
 }

 module "dev-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-root-dns-peering"
-  domain          = "."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }

 moved {
@ -58,11 +64,14 @@ moved {
 }

 module "dev-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
--- a/fast/stages/2-networking-a-peering/dns-landing.tf
+++ b/fast/stages/2-networking-a-peering/dns-landing.tf
@ -24,13 +24,16 @@ moved {
 }

 module "landing-dns-fwd-onprem-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "forwarding"
-  name            = "example-com"
-  domain          = "onprem.example.com."
-  client_networks = [module.landing-vpc.self_link]
-  forwarders      = { for ip in var.dns.onprem : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "example-com"
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [module.landing-vpc.self_link]
+      forwarders      = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }

 moved {
@ -39,13 +42,16 @@ moved {
 }

 module "landing-dns-fwd-onprem-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "forwarding"
-  name            = "root-reverse-10"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.landing-vpc.self_link]
-  forwarders      = { for ip in var.dns.onprem : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "root-reverse-10"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [module.landing-vpc.self_link]
+      forwarders      = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }

 moved {
@ -54,12 +60,15 @@ moved {
 }

 module "landing-dns-priv-gcp" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "private"
-  name            = "gcp-example-com"
-  domain          = "gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "gcp-example-com"
+  zone_config = {
+    domain = "gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
--- a/fast/stages/2-networking-a-peering/dns-prod.tf
+++ b/fast/stages/2-networking-a-peering/dns-prod.tf
@ -24,12 +24,15 @@ moved {
 }

 module "prod-dns-priv-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "private"
-  name            = "prod-gcp-example-com"
-  domain          = "prod.gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-gcp-example-com"
+  zone_config = {
+    domain = "prod.gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
@ -43,13 +46,16 @@ moved {
 }

 module "prod-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-root-dns-peering"
-  domain          = "."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }

 moved {
@ -58,11 +64,14 @@ moved {
 }

 module "prod-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
--- a/fast/stages/2-networking-b-vpn/dns-dev.tf
+++ b/fast/stages/2-networking-b-vpn/dns-dev.tf
@ -24,12 +24,15 @@ moved {
 }

 module "dev-dns-priv-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "private"
-  name            = "dev-gcp-example-com"
-  domain          = "dev.gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-gcp-example-com"
+  zone_config = {
+    domain = "dev.gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
@ -43,13 +46,16 @@ moved {
 }

 module "dev-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-root-dns-peering"
-  domain          = "."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }

 moved {
@ -58,11 +64,14 @@ moved {
 }

 module "dev-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
--- a/fast/stages/2-networking-b-vpn/dns-landing.tf
+++ b/fast/stages/2-networking-b-vpn/dns-landing.tf
@ -24,13 +24,16 @@ moved {
 }

 module "landing-dns-fwd-onprem-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "forwarding"
-  name            = "example-com"
-  domain          = "onprem.example.com."
-  client_networks = [module.landing-vpc.self_link]
-  forwarders      = { for ip in var.dns.onprem : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "example-com"
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [module.landing-vpc.self_link]
+      forwarders      = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }

 moved {
@ -39,13 +42,16 @@ moved {
 }

 module "landing-dns-fwd-onprem-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "forwarding"
-  name            = "root-reverse-10"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.landing-vpc.self_link]
-  forwarders      = { for ip in var.dns.onprem : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "root-reverse-10"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [module.landing-vpc.self_link]
+      forwarders      = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }

 moved {
@ -54,12 +60,15 @@ moved {
 }

 module "landing-dns-priv-gcp" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "private"
-  name            = "gcp-example-com"
-  domain          = "gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "gcp-example-com"
+  zone_config = {
+    domain = "gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
--- a/fast/stages/2-networking-b-vpn/dns-prod.tf
+++ b/fast/stages/2-networking-b-vpn/dns-prod.tf
@ -24,12 +24,15 @@ moved {
 }

 module "prod-dns-priv-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "private"
-  name            = "prod-gcp-example-com"
-  domain          = "prod.gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-gcp-example-com"
+  zone_config = {
+    domain = "prod.gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
@ -43,13 +46,16 @@ moved {
 }

 module "prod-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-root-dns-peering"
-  domain          = "."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }

 moved {
@ -58,11 +64,14 @@ moved {
 }

 module "prod-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
--- a/fast/stages/2-networking-c-nva/dns-dev.tf
+++ b/fast/stages/2-networking-c-nva/dns-dev.tf
@ -19,12 +19,15 @@
 # GCP-specific environment zone

 module "dev-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "private"
-  name            = "dev-gcp-example-com"
-  domain          = "dev.gcp.example.com."
-  client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-gcp-example-com"
+  zone_config = {
+    domain = "dev.gcp.example.com."
+    private = {
+      client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
@ -38,13 +41,16 @@ moved {
 }

 module "dev-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-root-dns-peering"
-  domain          = "."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }

 moved {
@ -53,11 +59,14 @@ moved {
 }

 module "dev-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
--- a/fast/stages/2-networking-c-nva/dns-landing.tf
+++ b/fast/stages/2-networking-c-nva/dns-landing.tf
@ -26,14 +26,17 @@ moved {
 module "landing-dns-fwd-onprem-example" {
  source     = "../../../modules/dns"
  project_id = module.landing-project.project_id
-  type       = "forwarding"
  name       = "example-com"
-  domain     = "onprem.example.com."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
-  forwarders = { for ip in var.dns.onprem : ip => null }
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+      forwarders = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }

 moved {
@ -44,14 +47,17 @@ moved {
 module "landing-dns-fwd-onprem-rev-10" {
  source     = "../../../modules/dns"
  project_id = module.landing-project.project_id
-  type       = "forwarding"
  name       = "root-reverse-10"
-  domain     = "10.in-addr.arpa."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
-  forwarders = { for ip in var.dns.onprem : ip => null }
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+      forwarders = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }

 moved {
@ -62,13 +68,16 @@ moved {
 module "landing-dns-priv-gcp" {
  source     = "../../../modules/dns"
  project_id = module.landing-project.project_id
-  type       = "private"
  name       = "gcp-example-com"
-  domain     = "gcp.example.com."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
+  zone_config = {
+    domain = "gcp.example.com."
+    private = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
--- a/fast/stages/2-networking-c-nva/dns-prod.tf
+++ b/fast/stages/2-networking-c-nva/dns-prod.tf
@ -19,12 +19,15 @@
 # GCP-specific environment zone

 module "prod-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "private"
-  name            = "prod-gcp-example-com"
-  domain          = "prod.gcp.example.com."
-  client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-gcp-example-com"
+  zone_config = {
+    domain = "prod.gcp.example.com."
+    private = {
+      client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
@ -38,13 +41,16 @@ moved {
 }

 module "prod-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-root-dns-peering"
-  domain          = "."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }

 moved {
@ -53,11 +59,14 @@ moved {
 }

 module "prod-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
--- a/fast/stages/2-networking-d-separate-envs/dns-dev.tf
+++ b/fast/stages/2-networking-d-separate-envs/dns-dev.tf
@ -19,12 +19,15 @@
 # GCP-specific environment zone

 module "dev-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "private"
-  name            = "dev-gcp-example-com"
-  domain          = "dev.gcp.example.com."
-  client_networks = [module.dev-spoke-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-gcp-example-com"
+  zone_config = {
+    domain = "dev.gcp.example.com."
+    private = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
@ -36,13 +39,16 @@ moved {
 }

 module "dev-dns-fwd-onprem-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "forwarding"
-  name            = "example-com"
-  domain          = "onprem.example.com."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  forwarders      = { for ip in var.dns.dev : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "example-com"
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      forwarders      = { for ip in var.dns.dev : ip => null }
+    }
+  }
 }

 moved {
@ -51,13 +57,16 @@ moved {
 }

 module "dev-dns-fwd-onprem-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "forwarding"
-  name            = "root-reverse-10"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  forwarders      = { for ip in var.dns.dev : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "root-reverse-10"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      forwarders      = { for ip in var.dns.dev : ip => null }
+    }
+  }
 }

 # Google APIs
--- a/fast/stages/2-networking-d-separate-envs/dns-prod.tf
+++ b/fast/stages/2-networking-d-separate-envs/dns-prod.tf
@ -19,12 +19,15 @@
 # GCP-specific environment zone

 module "prod-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "private"
-  name            = "prod-gcp-example-com"
-  domain          = "prod.gcp.example.com."
-  client_networks = [module.prod-spoke-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-gcp-example-com"
+  zone_config = {
+    domain = "prod.gcp.example.com."
+    private = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
@ -36,13 +39,16 @@ moved {
 }

 module "prod-dns-fwd-onprem-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "forwarding"
-  name            = "example-com"
-  domain          = "onprem.example.com."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  forwarders      = { for ip in var.dns.prod : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "example-com"
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      forwarders      = { for ip in var.dns.prod : ip => null }
+    }
+  }
 }

 moved {
@ -51,13 +57,16 @@ moved {
 }

 module "prod-dns-fwd-onprem-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "forwarding"
-  name            = "root-reverse-10"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  forwarders      = { for ip in var.dns.prod : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "root-reverse-10"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      forwarders      = { for ip in var.dns.prod : ip => null }
+    }
+  }
 }

 # Google APIs
--- a/fast/stages/2-networking-e-nva-bgp/dns-dev.tf
+++ b/fast/stages/2-networking-e-nva-bgp/dns-dev.tf
@ -19,12 +19,15 @@
 # GCP-specific environment zone

 module "dev-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "private"
-  name            = "dev-gcp-example-com"
-  domain          = "dev.gcp.example.com."
-  client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-gcp-example-com"
+  zone_config = {
+    domain = "dev.gcp.example.com."
+    private = {
+      client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
@ -38,13 +41,16 @@ moved {
 }

 module "dev-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-root-dns-peering"
-  domain          = "."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }

 moved {
@ -53,11 +59,14 @@ moved {
 }

 module "dev-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
--- a/fast/stages/2-networking-e-nva-bgp/dns-landing.tf
+++ b/fast/stages/2-networking-e-nva-bgp/dns-landing.tf
@ -26,14 +26,17 @@ moved {
 module "landing-dns-fwd-onprem-example" {
  source     = "../../../modules/dns"
  project_id = module.landing-project.project_id
-  type       = "forwarding"
  name       = "example-com"
-  domain     = "onprem.example.com."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
-  forwarders = { for ip in var.dns.onprem : ip => null }
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+      forwarders = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }

 moved {
@ -44,14 +47,17 @@ moved {
 module "landing-dns-fwd-onprem-rev-10" {
  source     = "../../../modules/dns"
  project_id = module.landing-project.project_id
-  type       = "forwarding"
  name       = "root-reverse-10"
-  domain     = "10.in-addr.arpa."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
-  forwarders = { for ip in var.dns.onprem : ip => null }
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+      forwarders = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }

 moved {
@ -62,13 +68,16 @@ moved {
 module "landing-dns-priv-gcp" {
  source     = "../../../modules/dns"
  project_id = module.landing-project.project_id
-  type       = "private"
  name       = "gcp-example-com"
-  domain     = "gcp.example.com."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
+  zone_config = {
+    domain = "gcp.example.com."
+    private = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
--- a/fast/stages/2-networking-e-nva-bgp/dns-prod.tf
+++ b/fast/stages/2-networking-e-nva-bgp/dns-prod.tf
@ -19,12 +19,15 @@
 # GCP-specific environment zone

 module "prod-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "private"
-  name            = "prod-gcp-example-com"
-  domain          = "prod.gcp.example.com."
-  client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-gcp-example-com"
+  zone_config = {
+    domain = "prod.gcp.example.com."
+    private = {
+      client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
  }
@ -38,13 +41,16 @@ moved {
 }

 module "prod-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-root-dns-peering"
-  domain          = "."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }

 moved {
@ -53,11 +59,14 @@ moved {
 }

 module "prod-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
--- a/modules/dns/README.md
+++ b/modules/dns/README.md
@ -10,12 +10,15 @@ For DNSSEC configuration, refer to the [`dns_managed_zone` documentation](https:

 ```hcl
 module "private-dns" {
-  source          = "./fabric/modules/dns"
-  project_id      = "myproject"
-  type            = "private"
-  name            = "test-example"
-  domain          = "test.example."
-  client_networks = [var.vpc.self_link]
+  source     = "./fabric/modules/dns"
+  project_id = "myproject"
+  name       = "test-example"
+  zone_config = {
+    domain = "test.example."
+    private = {
+      client_networks = [var.vpc.self_link]
+    }
+  }
  recordsets = {
    "A localhost" = { records = ["127.0.0.1"] }
    "A myhost"    = { ttl = 600, records = ["10.0.0.120"] }
@ -24,50 +27,58 @@ module "private-dns" {
    "roles/dns.admin" = ["group:dns-administrators@myorg.com"]
  }
 }
-# tftest modules=1 resources=4 inventory=private-zone.yaml
+# tftest modules=1 resources=5 inventory=private-zone.yaml
 ```

 ### Forwarding Zone

 ```hcl
 module "private-dns" {
-  source          = "./fabric/modules/dns"
-  project_id      = "myproject"
-  type            = "forwarding"
-  name            = "test-example"
-  domain          = "test.example."
-  client_networks = [var.vpc.self_link]
-  forwarders      = { "10.0.1.1" = null, "1.2.3.4" = "private" }
+  source     = "./fabric/modules/dns"
+  project_id = "myproject"
+  name       = "test-example"
+  zone_config = {
+    domain = "test.example."
+    forwarding = {
+      client_networks = [var.vpc.self_link]
+      forwarders      = { "10.0.1.1" = null, "1.2.3.4" = "private" }
+    }
+  }
 }
-# tftest modules=1 resources=1 inventory=forwarding-zone.yaml
+# tftest modules=1 resources=2 inventory=forwarding-zone.yaml
 ```

 ### Peering Zone

 ```hcl
 module "private-dns" {
-  source          = "./fabric/modules/dns"
-  project_id      = "myproject"
-  type            = "peering"
-  name            = "test-example"
-  domain          = "."
-  description     = "Forwarding zone for ."
-  client_networks = [var.vpc.self_link]
-  peer_network    = var.vpc2.self_link
+  source     = "./fabric/modules/dns"
+  project_id = "myproject"
+  name       = "test-example"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [var.vpc.self_link]
+      peer_network    = var.vpc2.self_link
+    }
+  }
 }
-# tftest modules=1 resources=1 inventory=peering-zone.yaml
+# tftest modules=1 resources=2 inventory=peering-zone.yaml
 ```

 ### Routing Policies

 ```hcl
 module "private-dns" {
-  source          = "./fabric/modules/dns"
-  project_id      = "myproject"
-  type            = "private"
-  name            = "test-example"
-  domain          = "test.example."
-  client_networks = [var.vpc.self_link]
+  source     = "./fabric/modules/dns"
+  project_id = "myproject"
+  name       = "test-example"
+  zone_config = {
+    domain = "test.example."
+    private = {
+      client_networks = [var.vpc.self_link]
+    }
+  }
  recordsets = {
    "A regular" = { records = ["10.20.0.1"] }
    "A geo" = {
@ -88,21 +99,24 @@ module "private-dns" {
    }
  }
 }
-# tftest modules=1 resources=4 inventory=routing-policies.yaml
+# tftest modules=1 resources=5 inventory=routing-policies.yaml
 ```

 ### Reverse Lookup Zone

 ```hcl
 module "private-dns" {
-  source          = "./fabric/modules/dns"
-  project_id      = "myproject"
-  type            = "reverse-managed"
-  name            = "test-example"
-  domain          = "0.0.10.in-addr.arpa."
-  client_networks = [var.vpc.self_link]
+  source     = "./fabric/modules/dns"
+  project_id = "myproject"
+  name       = "test-example"
+  zone_config = {
+    domain = "0.0.10.in-addr.arpa."
+    private = {
+      client_networks = [var.vpc.self_link]
+    }
+  }
 }
-# tftest modules=1 resources=1 inventory=reverse-zone.yaml
+# tftest modules=1 resources=2 inventory=reverse-zone.yaml
 ```

 ### Public Zone
@ -111,9 +125,11 @@ module "private-dns" {
 module "public-dns" {
  source     = "./fabric/modules/dns"
  project_id = "myproject"
-  type       = "public"
  name       = "example"
-  domain     = "example.com."
+  zone_config = {
+    domain = "example.com."
+    public = {}
+  }
  recordsets = {
    "A myhost" = { ttl = 300, records = ["127.0.0.1"] }
  }
@ -129,20 +145,12 @@ module "public-dns" {

 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [domain](variables.tf#L54) | Zone domain, must end with a period. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L78) | Zone name, must be unique within the project. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L89) | Project id for the zone. | <code>string</code> | ✓ |  |
-| [client_networks](variables.tf#L21) | List of VPC self links that can see this zone. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [description](variables.tf#L28) | Domain description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
-| [dnssec_config](variables.tf#L34) | DNSSEC configuration for this zone. | <code title="object&#40;&#123;&#10;  non_existence &#61; optional&#40;string, &#34;nsec3&#34;&#41;&#10;  state         &#61; string&#10;  key_signing_key &#61; optional&#40;object&#40;&#10;    &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;    &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 2048 &#125;&#10;  &#41;&#10;  zone_signing_key &#61; optional&#40;object&#40;&#10;    &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;    &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 1024 &#125;&#10;  &#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  state &#61; &#34;off&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [enable_logging](variables.tf#L59) | Enable query logging for this zone. | <code>bool</code> |  | <code>false</code> |
-| [forwarders](variables.tf#L66) | Map of {IPV4_ADDRESS => FORWARDING_PATH} for 'forwarding' zone types. Path can be 'default', 'private', or null for provider default. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [iam](variables.tf#L72) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>null</code> |
-| [peer_network](variables.tf#L83) | Peering network self link, only valid for 'peering' zone types. | <code>string</code> |  | <code>null</code> |
-| [recordsets](variables.tf#L94) | Map of DNS recordsets in \"type name\" => {ttl, [records]} format. | <code title="map&#40;object&#40;&#123;&#10;  ttl     &#61; optional&#40;number, 300&#41;&#10;  records &#61; optional&#40;list&#40;string&#41;&#41;&#10;  geo_routing &#61; optional&#40;list&#40;object&#40;&#123;&#10;    location &#61; string&#10;    records  &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;  wrr_routing &#61; optional&#40;list&#40;object&#40;&#123;&#10;    weight  &#61; number&#10;    records &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_directory_namespace](variables.tf#L129) | Service directory namespace id (URL), only valid for 'service-directory' zone types. | <code>string</code> |  | <code>null</code> |
-| [type](variables.tf#L135) | Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory','reverse-managed'. | <code>string</code> |  | <code>&#34;private&#34;</code> |
-| [zone_create](variables.tf#L145) | Create zone. When set to false, uses a data source to reference existing zone. | <code>bool</code> |  | <code>true</code> |
+| [name](variables.tf#L33) | Zone name, must be unique within the project. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L38) | Project id for the zone. | <code>string</code> | ✓ |  |
+| [description](variables.tf#L21) | Domain description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
+| [iam](variables.tf#L27) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>null</code> |
+| [recordsets](variables.tf#L43) | Map of DNS recordsets in \"type name\" => {ttl, [records]} format. | <code title="map&#40;object&#40;&#123;&#10;  ttl     &#61; optional&#40;number, 300&#41;&#10;  records &#61; optional&#40;list&#40;string&#41;&#41;&#10;  geo_routing &#61; optional&#40;list&#40;object&#40;&#123;&#10;    location &#61; string&#10;    records  &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;  wrr_routing &#61; optional&#40;list&#40;object&#40;&#123;&#10;    weight  &#61; number&#10;    records &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [zone_config](variables.tf#L78) | DNS zone configuration. | <code title="object&#40;&#123;&#10;  domain         &#61; string&#10;  enable_logging &#61; optional&#40;bool, false&#41;&#10;  forwarding &#61; optional&#40;object&#40;&#123;&#10;    forwarders      &#61; optional&#40;map&#40;string&#41;&#41;&#10;    client_networks &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  peering &#61; optional&#40;object&#40;&#123;&#10;    client_networks &#61; list&#40;string&#41;&#10;    peer_network    &#61; string&#10;  &#125;&#41;&#41;&#10;  public &#61; optional&#40;object&#40;&#123;&#10;    dnssec_config &#61; optional&#40;object&#40;&#123;&#10;      non_existence &#61; optional&#40;string, &#34;nsec3&#34;&#41;&#10;      state         &#61; string&#10;      key_signing_key &#61; optional&#40;object&#40;&#10;        &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;        &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 2048 &#125;&#10;      &#41;&#10;      zone_signing_key &#61; optional&#40;object&#40;&#10;        &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;        &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 1024 &#125;&#10;      &#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  private &#61; optional&#40;object&#40;&#123;&#10;    client_networks             &#61; list&#40;string&#41;&#10;    service_directory_namespace &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |

 ## Outputs

@ -153,7 +161,6 @@ module "public-dns" {
 | [id](outputs.tf#L27) | Fully qualified zone id. |  |
 | [name](outputs.tf#L32) | The DNS zone name. |  |
 | [name_servers](outputs.tf#L37) | The DNS zone name servers. |  |
-| [type](outputs.tf#L42) | The DNS zone type. |  |
-| [zone](outputs.tf#L47) | DNS zone resource. |  |
+| [zone](outputs.tf#L42) | DNS zone resource. |  |

 <!-- END TFDOC -->
--- a/modules/dns/main.tf
+++ b/modules/dns/main.tf
@ -15,77 +15,87 @@
 */

 locals {
+  managed_zone = (var.zone_config == null ?
+    data.google_dns_managed_zone.dns_managed_zone.0
+    : google_dns_managed_zone.dns_managed_zone.0
+  )
  # split record name and type and set as keys in a map
  _recordsets_0 = {
    for key, attrs in var.recordsets :
    key => merge(attrs, zipmap(["type", "name"], split(" ", key)))
  }
  # compute the final resource name for the recordset
-  _recordsets = {
+  recordsets = {
    for key, attrs in local._recordsets_0 :
    key => merge(attrs, {
      resource_name = (
        attrs.name == ""
-        ? var.domain
+        ? local.managed_zone.dns_name
        : (
          substr(attrs.name, -1, 1) == "."
          ? attrs.name
-          : "${attrs.name}.${var.domain}"
+          : "${attrs.name}.${local.managed_zone.dns_name}"
        )
      )
    })
  }
-  # split recordsets between regular, geo and wrr
-  geo_recordsets = {
-    for k, v in local._recordsets :
-    k => v
-    if v.geo_routing != null
-  }
-  regular_recordsets = {
-    for k, v in local._recordsets :
-    k => v
-    if v.records != null
-  }
-  wrr_recordsets = {
-    for k, v in local._recordsets :
-    k => v
-    if v.wrr_routing != null
-  }
-  zone = (
-    var.zone_create
-    ? try(
-      google_dns_managed_zone.non-public.0, try(
-        google_dns_managed_zone.public.0, null
-      )
-    )
-    : try(data.google_dns_managed_zone.public.0, null)
+  client_networks = concat(
+    coalesce(try(var.zone_config.forwarding.client_networks, null), []),
+    coalesce(try(var.zone_config.peering.client_networks, null), []),
+    coalesce(try(var.zone_config.private.client_networks, null), [])
  )
-  dns_keys = try(
-    data.google_dns_keys.dns_keys.0, null
+  visibility = (var.zone_config == null ?
+    null
+    : (var.zone_config.forwarding != null ||
+      var.zone_config.peering != null
+    || var.zone_config.private != null) ?
+    "private" :
+    "public"
  )
 }

-resource "google_dns_managed_zone" "non-public" {
-  count          = (var.zone_create && var.type != "public") ? 1 : 0
+resource "google_dns_managed_zone" "dns_managed_zone" {
+  count          = (var.zone_config == null) ? 0 : 1
  provider       = google-beta
  project        = var.project_id
  name           = var.name
-  dns_name       = var.domain
+  dns_name       = var.zone_config.domain
  description    = var.description
-  visibility     = "private"
-  reverse_lookup = (var.type == "reverse-managed")
+  visibility     = local.visibility
+  reverse_lookup = try(var.zone_config.private, null) != null && endswith(var.zone_config.domain, ".in-addr.arpa.")
+
+  dynamic "dnssec_config" {
+    for_each = try(var.zone_config.public.dnssec_config, null) == null ? [] : [""]
+    iterator = config
+    content {
+      kind          = "dns#managedZoneDnsSecConfig"
+      non_existence = var.zone_config.public.dnssec_config.non_existence
+      state         = var.zone_config.public.dnssec_config.state
+
+      default_key_specs {
+        algorithm  = var.zone_config.public.dnssec_config.key_signing_key.algorithm
+        key_length = var.zone_config.public.dnssec_config.key_signing_key.key_length
+        key_type   = "keySigning"
+        kind       = "dns#dnsKeySpec"
+      }
+
+      default_key_specs {
+        algorithm  = var.zone_config.public.dnssec_config.zone_signing_key.algorithm
+        key_length = var.zone_config.public.dnssec_config.zone_signing_key.key_length
+        key_type   = "zoneSigning"
+        kind       = "dns#dnsKeySpec"
+      }
+    }
+  }

  dynamic "forwarding_config" {
-    for_each = (
-      var.type == "forwarding" &&
-      var.forwarders != null &&
-      length(var.forwarders) > 0
+    for_each = (length(coalesce(try(var.zone_config.forwarding.forwarders, null), {})) > 0
      ? [""]
      : []
    )
    content {
      dynamic "target_name_servers" {
-        for_each = var.forwarders
+        for_each = var.zone_config.forwarding.forwarders
        iterator = forwarder
        content {
          ipv4_address    = forwarder.key
@ -96,21 +106,19 @@ resource "google_dns_managed_zone" "non-public" {
  }

  dynamic "peering_config" {
-    for_each = (
-      var.type == "peering" && var.peer_network != null ? [""] : []
-    )
+    for_each = try(var.zone_config.peering.peer_network, null) == null ? [] : [""]
    content {
      target_network {
-        network_url = var.peer_network
+        network_url = var.zone_config.peering.peer_network
      }
    }
  }

  dynamic "private_visibility_config" {
-    for_each = length(var.client_networks) > 0 ? [""] : []
+    for_each = length(local.client_networks) > 0 ? [""] : []
    content {
      dynamic "networks" {
-        for_each = var.client_networks
+        for_each = local.client_networks
        iterator = network
        content {
          network_url = network.value
@ -120,85 +128,41 @@ resource "google_dns_managed_zone" "non-public" {
  }

  dynamic "service_directory_config" {
-    for_each = (
-      var.type == "service-directory" && var.service_directory_namespace != null
-      ? [""]
-      : []
+    for_each = (try(var.zone_config.private.service_directory_namespace, null) == null
+      ? []
+      : [""]
    )
    content {
      namespace {
-        namespace_url = var.service_directory_namespace
+        namespace_url = var.zone_config.private.service_directory_namespace
      }
    }
  }
  cloud_logging_config {
-    enable_logging = var.enable_logging
+    enable_logging = try(var.zone_config.enable_logging, false)
  }
 }

-data "google_dns_managed_zone" "public" {
-  count   = var.zone_create ? 0 : 1
+data "google_dns_managed_zone" "dns_managed_zone" {
+  count   = var.zone_config == null ? 1 : 0
  project = var.project_id
  name    = var.name
 }

-resource "google_dns_managed_zone" "public" {
-  count       = (var.zone_create && var.type == "public") ? 1 : 0
-  project     = var.project_id
-  name        = var.name
-  dns_name    = var.domain
-  description = var.description
-  visibility  = "public"
-
-  dynamic "dnssec_config" {
-    for_each = var.dnssec_config == null ? [] : [1]
-    iterator = config
-    content {
-      kind          = "dns#managedZoneDnsSecConfig"
-      non_existence = var.dnssec_config.non_existence
-      state         = var.dnssec_config.state
-
-      default_key_specs {
-        algorithm  = var.dnssec_config.key_signing_key.algorithm
-        key_length = var.dnssec_config.key_signing_key.key_length
-        key_type   = "keySigning"
-        kind       = "dns#dnsKeySpec"
-      }
-
-      default_key_specs {
-        algorithm  = var.dnssec_config.zone_signing_key.algorithm
-        key_length = var.dnssec_config.zone_signing_key.key_length
-        key_type   = "zoneSigning"
-        kind       = "dns#dnsKeySpec"
-      }
-    }
-  }
-  cloud_logging_config {
-    enable_logging = var.enable_logging
-  }
-}
-
 resource "google_dns_managed_zone_iam_binding" "iam_bindings" {
-  for_each = coalesce(var.iam, {})
-  project  = var.project_id
-  managed_zone = (var.type == "public"
-    ? google_dns_managed_zone.public[0].name
-  : google_dns_managed_zone.non-public[0].name)
-  role    = each.key
-  members = each.value
+  for_each     = coalesce(var.iam, {})
+  project      = var.project_id
+  managed_zone = local.managed_zone.id
+  role         = each.key
+  members      = each.value
 }

 data "google_dns_keys" "dns_keys" {
-  count        = var.zone_create && (var.dnssec_config == {} || var.type != "public") ? 0 : 1
-  managed_zone = local.zone.id
+  managed_zone = local.managed_zone.id
 }

-resource "google_dns_record_set" "cloud-static-records" {
-  for_each = (
-    var.type == "public" || var.type == "private"
-    ? local.regular_recordsets
-    : {}
-  )
+resource "google_dns_record_set" "dns_record_set" {
+  for_each     = local.recordsets
  project      = var.project_id
  managed_zone = var.name
  name         = each.value.resource_name
@ -206,63 +170,27 @@ resource "google_dns_record_set" "cloud-static-records" {
  ttl          = each.value.ttl
  rrdatas      = each.value.records

-  depends_on = [
-    google_dns_managed_zone.non-public, google_dns_managed_zone.public
-  ]
-}
-
-resource "google_dns_record_set" "cloud-geo-records" {
-  for_each = (
-    var.type == "public" || var.type == "private"
-    ? local.geo_recordsets
-    : {}
-  )
-  project      = var.project_id
-  managed_zone = var.name
-  name         = each.value.resource_name
-  type         = each.value.type
-  ttl          = each.value.ttl
-
-  routing_policy {
-    dynamic "geo" {
-      for_each = each.value.geo_routing
-      iterator = policy
-      content {
-        location = policy.value.location
-        rrdatas  = policy.value.records
+  dynamic "routing_policy" {
+    for_each = (each.value.geo_routing != null || each.value.wrr_routing != null) ? [""] : []
+    content {
+      dynamic "geo" {
+        for_each = coalesce(each.value.geo_routing, [])
+        content {
+          location = geo.value.location
+          rrdatas  = geo.value.records
+        }
+      }
+      dynamic "wrr" {
+        for_each = coalesce(each.value.wrr_routing, [])
+        content {
+          weight  = wrr.value.weight
+          rrdatas = wrr.value.records
+        }
      }
    }
  }

  depends_on = [
-    google_dns_managed_zone.non-public, google_dns_managed_zone.public
+    google_dns_managed_zone.dns_managed_zone
  ]
-}
-
-resource "google_dns_record_set" "cloud-wrr-records" {
-  for_each = (
-    var.type == "public" || var.type == "private"
-    ? local.wrr_recordsets
-    : {}
-  )
-  project      = var.project_id
-  managed_zone = var.name
-  name         = each.value.resource_name
-  type         = each.value.type
-  ttl          = each.value.ttl
-
-  routing_policy {
-    dynamic "wrr" {
-      for_each = each.value.wrr_routing
-      iterator = policy
-      content {
-        weight  = policy.value.weight
-        rrdatas = policy.value.records
-      }
-    }
-  }
-
-  depends_on = [
-    google_dns_managed_zone.non-public, google_dns_managed_zone.public
-  ]
-}
+}
--- a/modules/dns/outputs.tf
+++ b/modules/dns/outputs.tf
@ -16,35 +16,30 @@

 output "dns_keys" {
  description = "DNSKEY and DS records of DNSSEC-signed managed zones."
-  value       = local.dns_keys
+  value       = data.google_dns_keys.dns_keys
 }

 output "domain" {
  description = "The DNS zone domain."
-  value       = try(local.zone.dns_name, null)
+  value       = local.managed_zone.dns_name
 }

 output "id" {
  description = "Fully qualified zone id."
-  value       = try(local.zone.id, null)
+  value       = local.managed_zone.id
 }

 output "name" {
  description = "The DNS zone name."
-  value       = try(local.zone.name, null)
+  value       = local.managed_zone.name
 }

 output "name_servers" {
  description = "The DNS zone name servers."
-  value       = try(local.zone.name_servers, null)
-}
-
-output "type" {
-  description = "The DNS zone type."
-  value       = var.type
+  value       = local.managed_zone.name_servers
 }

 output "zone" {
  description = "DNS zone resource."
-  value       = local.zone
+  value       = local.managed_zone
 }
--- a/modules/dns/variables.tf
+++ b/modules/dns/variables.tf
@ -18,57 +18,12 @@
 #                                zone variables                               #
 ###############################################################################

-variable "client_networks" {
-  description = "List of VPC self links that can see this zone."
-  type        = list(string)
-  default     = []
-  nullable    = false
-}
-
 variable "description" {
  description = "Domain description."
  type        = string
  default     = "Terraform managed."
 }

-variable "dnssec_config" {
-  description = "DNSSEC configuration for this zone."
-  type = object({
-    non_existence = optional(string, "nsec3")
-    state         = string
-    key_signing_key = optional(object(
-      { algorithm = string, key_length = number }),
-      { algorithm = "rsasha256", key_length = 2048 }
-    )
-    zone_signing_key = optional(object(
-      { algorithm = string, key_length = number }),
-      { algorithm = "rsasha256", key_length = 1024 }
-    )
-  })
-  default = {
-    state = "off"
-  }
-  nullable = false
-}
-
-variable "domain" {
-  description = "Zone domain, must end with a period."
-  type        = string
-}
-
-variable "enable_logging" {
-  description = "Enable query logging for this zone."
-  type        = bool
-  default     = false
-  nullable    = false
-}
-
-variable "forwarders" {
-  description = "Map of {IPV4_ADDRESS => FORWARDING_PATH} for 'forwarding' zone types. Path can be 'default', 'private', or null for provider default."
-  type        = map(string)
-  default     = {}
-}
-
 variable "iam" {
  description = "IAM bindings in {ROLE => [MEMBERS]} format."
  type        = map(list(string))
@ -80,12 +35,6 @@ variable "name" {
  type        = string
 }

-variable "peer_network" {
-  description = "Peering network self link, only valid for 'peering' zone types."
-  type        = string
-  default     = null
-}
-
 variable "project_id" {
  description = "Project id for the zone."
  type        = string
@ -126,27 +75,48 @@ variable "recordsets" {
  }
 }

-variable "service_directory_namespace" {
-  description = "Service directory namespace id (URL), only valid for 'service-directory' zone types."
-  type        = string
-  default     = null
-}
-
-variable "type" {
-  description = "Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory','reverse-managed'."
-  type        = string
-  default     = "private"
+variable "zone_config" {
+  description = "DNS zone configuration."
+  type = object({
+    domain         = string
+    enable_logging = optional(bool, false)
+    forwarding = optional(object({
+      forwarders      = optional(map(string))
+      client_networks = list(string)
+    }))
+    peering = optional(object({
+      client_networks = list(string)
+      peer_network    = string
+    }))
+    public = optional(object({
+      dnssec_config = optional(object({
+        non_existence = optional(string, "nsec3")
+        state         = string
+        key_signing_key = optional(object(
+          { algorithm = string, key_length = number }),
+          { algorithm = "rsasha256", key_length = 2048 }
+        )
+        zone_signing_key = optional(object(
+          { algorithm = string, key_length = number }),
+          { algorithm = "rsasha256", key_length = 1024 }
+        )
+      }))
+    }))
+    private = optional(object({
+      client_networks             = list(string)
+      service_directory_namespace = optional(string)
+    }))
+  })
  validation {
-    condition     = contains(["public", "private", "forwarding", "peering", "service-directory", "reverse-managed"], var.type)
-    error_message = "Zone must be one of 'public', 'private', 'forwarding', 'peering', 'service-directory','reverse-managed'."
+    condition = (
+      (try(var.zone_config.forwarding, null) == null ? 0 : 1) +
+      (try(var.zone_config.peering, null) == null ? 0 : 1) +
+      (try(var.zone_config.public, null) == null ? 0 : 1) +
+      (try(var.zone_config.private, null) == null ? 0 : 1) <= 1
+    )
+    error_message = "Only one type of zone can be configured at a time."
  }
-}
-
-variable "zone_create" {
-  description = "Create zone. When set to false, uses a data source to reference existing zone."
-  type        = bool
-  default     = true
+  default = null
 }


-
--- a/modules/service-directory/README.md
+++ b/modules/service-directory/README.md
@ -77,15 +77,18 @@ module "service-directory" {
 }

 module "dns-sd" {
-  source                      = "./fabric/modules/dns"
-  project_id                  = "my-project"
-  type                        = "service-directory"
-  name                        = "apps"
-  domain                      = "apps.example.org."
-  client_networks             = [var.vpc.self_link]
-  service_directory_namespace = module.service-directory.id
+  source     = "./fabric/modules/dns"
+  project_id = "my-project"
+  name       = "apps"
+  zone_config = {
+    domain = "apps.example.org."
+    private = {
+      client_networks             = [var.vpc.self_link]
+      service_directory_namespace = module.service-directory.id
+    }
+  }
 }
-# tftest modules=2 resources=5 inventory=dns.yaml
+# tftest modules=2 resources=6 inventory=dns.yaml
 ```
 <!-- BEGIN TFDOC -->

--- a/tests/blueprints/factories/project_factory/examples/example.yaml
+++ b/tests/blueprints/factories/project_factory/examples/example.yaml
@ -65,7 +65,7 @@ values:
    project: test1-project
    sensitive_labels: []
    type: email
-  module.projects["project"].module.dns["ipsum"].google_dns_managed_zone.non-public[0]:
+  module.projects["project"].module.dns["ipsum"].google_dns_managed_zone.dns_managed_zone[0]:
    dns_name: ipsum.dev.example.org
    name: ipsum
    private_visibility_config:
@ -74,7 +74,7 @@ values:
      - network_url: projects/foo/networks/bar
    project: fast-dev-net-spoke-0
    visibility: private
-  module.projects["project"].module.dns["lorem"].google_dns_managed_zone.non-public[0]:
+  module.projects["project"].module.dns["lorem"].google_dns_managed_zone.dns_managed_zone[0]:
    dns_name: lorem.dev.example.org
    name: lorem
    private_visibility_config:
--- a/tests/fast/stages/s2_networking_a_peering/stage.yaml
+++ b/tests/fast/stages/s2_networking_a_peering/stage.yaml
@ -14,4 +14,4 @@

 counts:
  modules: 27
-  resources: 142
+  resources: 151
--- a/tests/fast/stages/s2_networking_b_vpn/stage.yaml
+++ b/tests/fast/stages/s2_networking_b_vpn/stage.yaml
@ -14,4 +14,4 @@

 counts:
  modules: 29
-  resources: 179
+  resources: 188
--- a/tests/fast/stages/s2_networking_c_nva/stage.yaml
+++ b/tests/fast/stages/s2_networking_c_nva/stage.yaml
@ -14,4 +14,4 @@

 counts:
  modules: 41
-  resources: 188
+  resources: 197
--- a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
+++ b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
@ -14,4 +14,4 @@

 counts:
  modules: 20
-  resources: 162
+  resources: 168
--- a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
@ -14,4 +14,4 @@

 counts:
  modules: 35
-  resources: 201
+  resources: 210
--- a/tests/modules/dns/examples/forwarding-zone.yaml
+++ b/tests/modules/dns/examples/forwarding-zone.yaml
@ -13,7 +13,7 @@
 # limitations under the License.

 values:
-  module.private-dns.google_dns_managed_zone.non-public[0]:
+  module.private-dns.google_dns_managed_zone.dns_managed_zone[0]:
    dns_name: test.example.
    forwarding_config:
    - target_name_servers:
--- a/tests/modules/dns/examples/peering-zone.yaml
+++ b/tests/modules/dns/examples/peering-zone.yaml
@ -13,8 +13,8 @@
 # limitations under the License.

 values:
-  module.private-dns.google_dns_managed_zone.non-public[0]:
-    description: Forwarding zone for .
+  module.private-dns.google_dns_managed_zone.dns_managed_zone[0]:
+    description: Terraform managed.
    dns_name: .
    forwarding_config: []
    name: test-example
--- a/tests/modules/dns/examples/private-zone.yaml
+++ b/tests/modules/dns/examples/private-zone.yaml
@ -13,7 +13,7 @@
 # limitations under the License.

 values:
-  module.private-dns.google_dns_managed_zone.non-public[0]:
+  module.private-dns.google_dns_managed_zone.dns_managed_zone[0]:
    description: Terraform managed.
    dns_name: test.example.
    force_destroy: false
@ -26,7 +26,7 @@ values:
      - network_url: projects/xxx/global/networks/aaa
    project: myproject
    visibility: private
-  module.private-dns.google_dns_record_set.cloud-static-records["A localhost"]:
+  module.private-dns.google_dns_record_set.dns_record_set["A localhost"]:
    managed_zone: test-example
    name: localhost.test.example.
    project: myproject
@ -35,7 +35,7 @@ values:
    - 127.0.0.1
    ttl: 300
    type: A
-  module.private-dns.google_dns_record_set.cloud-static-records["A myhost"]:
+  module.private-dns.google_dns_record_set.dns_record_set["A myhost"]:
    managed_zone: test-example
    name: myhost.test.example.
    project: myproject
--- a/tests/modules/dns/examples/public-zone.yaml
+++ b/tests/modules/dns/examples/public-zone.yaml
@ -13,12 +13,12 @@
 # limitations under the License.

 values:
-  module.public-dns.google_dns_managed_zone.public[0]:
+  module.public-dns.google_dns_managed_zone.dns_managed_zone[0]:
    dns_name: example.com.
    name: example
    project: myproject
    visibility: public
-  module.public-dns.google_dns_record_set.cloud-static-records["A myhost"]:
+  module.public-dns.google_dns_record_set.dns_record_set["A myhost"]:
    managed_zone: example
    name: myhost.example.com.
    project: myproject
--- a/tests/modules/dns/examples/reverse-zone.yaml
+++ b/tests/modules/dns/examples/reverse-zone.yaml
@ -13,7 +13,7 @@
 # limitations under the License.

 values:
-  module.private-dns.google_dns_managed_zone.non-public[0]:
+  module.private-dns.google_dns_managed_zone.dns_managed_zone[0]:
    description: Terraform managed.
    dns_name: 0.0.10.in-addr.arpa.
    name: test-example
--- a/tests/modules/dns/examples/routing-policies.yaml
+++ b/tests/modules/dns/examples/routing-policies.yaml
@ -13,11 +13,11 @@
 # limitations under the License.

 values:
-  module.private-dns.google_dns_managed_zone.non-public[0]:
+  module.private-dns.google_dns_managed_zone.dns_managed_zone[0]:
    dns_name: test.example.
    name: test-example
    project: myproject
-  module.private-dns.google_dns_record_set.cloud-geo-records["A geo"]:
+  module.private-dns.google_dns_record_set.dns_record_set["A geo"]:
    managed_zone: test-example
    name: geo.test.example.
    project: myproject
@ -41,7 +41,7 @@ values:
    rrdatas: null
    ttl: 300
    type: A
-  module.private-dns.google_dns_record_set.cloud-static-records["A regular"]:
+  module.private-dns.google_dns_record_set.dns_record_set["A regular"]:
    managed_zone: test-example
    name: regular.test.example.
    project: myproject
@ -50,7 +50,7 @@ values:
    - 10.20.0.1
    ttl: 300
    type: A
-  module.private-dns.google_dns_record_set.cloud-wrr-records["A wrr"]:
+  module.private-dns.google_dns_record_set.dns_record_set["A wrr"]:
    managed_zone: test-example
    name: wrr.test.example.
    project: myproject
--- a/tests/modules/dns/no_clients.tfvars
+++ b/tests/modules/dns/no_clients.tfvars
@ -1,5 +0,0 @@
-type            = "private"
-domain          = "test.example."
-name            = "test"
-project_id      = "my-project"
-client_networks = []
--- a/tests/modules/dns/no_clients.yaml
+++ b/tests/modules/dns/no_clients.yaml
@ -1,25 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  google_dns_managed_zone.non-public[0]:
-    dns_name: test.example.
-    name: test
-    private_visibility_config: []
-    visibility: private
-
-counts:
-  google_dns_managed_zone: 1
-  modules: 0
-  resources: 1
--- a/tests/modules/dns/null_forwarders.tfvars
+++ b/tests/modules/dns/null_forwarders.tfvars
@ -1,4 +0,0 @@
-type       = "forwarding"
-domain     = "test.example."
-name       = "test"
-project_id = "my-project"
--- a/tests/modules/dns/null_forwarders.yaml
+++ b/tests/modules/dns/null_forwarders.yaml
@ -1,20 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  google_dns_managed_zone.non-public[0]:
-    forwarding_config: []
-
-counts:
-  google_dns_managed_zone: 1
--- a/tests/modules/dns/tftest.yaml
+++ b/tests/modules/dns/tftest.yaml
@ -1,19 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-module: modules/dns
-
-tests:
-  no_clients:
-  null_forwarders:
--- a/tests/modules/service_directory/examples/dns.yaml
+++ b/tests/modules/service_directory/examples/dns.yaml
@ -13,7 +13,7 @@
 # limitations under the License.

 values:
-  module.dns-sd.google_dns_managed_zone.non-public[0]:
+  module.dns-sd.google_dns_managed_zone.dns_managed_zone[0]:
    dns_name: apps.example.org.
    visibility: private
  module.service-directory.google_service_directory_endpoint.default["app1/one"]: