Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/memes/terraform-google-restricted-apis-dns

Terraform module to create Cloud DNS zones to support restricted Google API access.
https://github.com/memes/terraform-google-restricted-apis-dns

Last synced: 7 days ago
JSON representation

Terraform module to create Cloud DNS zones to support restricted Google API access.

Host: GitHub
URL: https://github.com/memes/terraform-google-restricted-apis-dns
Owner: memes
License: apache-2.0
Created: 2023-02-12T01:39:31.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2024-12-05T20:45:03.000Z (about 2 months ago)
Last Synced: 2024-12-05T21:30:03.840Z (about 2 months ago)
Language: Ruby
Size: 115 KB
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 1
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

        # Restricted APIs DNS module

![GitHub release](https://img.shields.io/github/v/release/memes/terraform-google-restricted-apis-dns?sort=semver)

![Maintenance](https://img.shields.io/maintenance/yes/2024)

[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md)

This Terraform module creates opinionated private Cloud DNS records that resolve

Google Cloud API endpoints to the `restricted.googleapis.com` or `private.googleapis.com` endpoints.

* A zone is created to override all `*.googleapis.com` entries by resolving to

   * `restricted.googleapis.com` via `199.36.153.4/30` and `2600:2d00:0002:1000::/64`, or

   * `private.googleapis.com` via `199.36.153.8/30` and `2600:2d00:002:2000::/64`

  > NOTE: Private connectivity route to `199.36.153.4/30` or `199.36.153.8/30` is not managed by this

  > module; see [multi-region-private-network] for companion module

* Additional domains are set through the `overrides` variable; by default the

  `gcr.io` and `pkg.dev` domains for GCR and GAR are included.

## Opinions

1. `A` and `AAAA` records will **always** be created

2. All endpoints matching `*.googleapis.com` will resolve to `restricted.googleapis.com` (or `private.googleapis.com` if `use_private_access_endpoints` variable is `true`.

> NOTE: The intent of this module is to easily repeat a common use-case where

> all Google Cloud endpoints must resolve to `restricted.googleapis.com` or `private.googleapis.com`. It is

> not a general purpose Cloud DNS module; use Google's [cloud-dns] module for that

> purpose.

## Examples

### Default use-case

|Item|Managed by module|Description|

|----|-----------------|-----------|

|Override googleapis.com|&check;|Always directed to `restricted.googleapis.com`|

|Override gcr.io|&check;|Default `overrides` value will direct to `restricted.googleapis.com`|

|Override pkg.dev|&check;|Default `overrides` value will direct to `restricted.googleapis.com`|

|Added to VPC network|&check;|Zones will be added as Private Cloud DNS to any VPC network provided in `network_self_links`|

|Route to private endpoints||Must be managed per-VPC|

```hcl

module "restricted_apis" {

    source  = "memes/restricted-apis-dns/google"

    version = "1.3.0"

    project_id = "my-project-id"

    network_self_links = [

        "projects/my-project-id/globals/network/my-network",

    ]

}

```

### Disable restricted override for Container Registry and Artifact Registry

|Item|Managed by module|Description|

|----|-----------------|-----------|

|Override googleapis.com|&check;|Always directed to `restricted.googleapis.com`|

|Override gcr.io||Setting `overrides` to []|

|Override pkg.dev||Setting `overrides` to []|

|Added to VPC network|&check;|Zones will be added as Private Cloud DNS to any VPC network provided in `network_self_links`|

|Route to private endpoints||Must be managed per-VPC|

```hcl

module "restricted_apis" {

    source  = "memes/restricted-apis-dns/google"

    version = "1.3.0"

    project_id = "my-project-id"

    overrides = []

    network_self_links = [

        "projects/my-project-id/globals/network/my-network",

    ]

}

```

### Enable private access overrides

|Item|Managed by module|Description|

|----|-----------------|-----------|

|Override googleapis.com|&check;|Always directed to `private.googleapis.com`|

|Override gcr.io|&check;|Default `overrides` value will direct to `private.googleapis.com`|

|Override pkg.dev|&check;|Default `overrides` value will direct to `private.googleapis.com`|

|Added to VPC network|&check;|Zones will be added as Private Cloud DNS to any VPC network provided in `network_self_links`|

|Route to private endpoints||Must be managed per-VPC|

```hcl

module "private_apis" {

    source  = "memes/restricted-apis-dns/google"

    version = "1.3.0"

    project_id = "my-project-id"

    use_private_access_endpoints = true

    network_self_links = [

        "projects/my-project-id/globals/network/my-network",

    ]

}

```

### Enable private access with support for Cloud Functions

|Item|Managed by module|Description|

|----|-----------------|-----------|

|Override googleapis.com|&check;|Always directed to `private.googleapis.com`|

|Override gcr.io|&check;|Explicit `overrides` value will direct to `private.googleapis.com`|

|Override pkg.dev|&check;|Explicit `overrides` value will direct to `private.googleapis.com`|

|Added to VPC network|&check;|Zones will be added as Private Cloud DNS to any VPC network provided in `network_self_links`|

|Route to private endpoints||Must be managed per-VPC|

|Override cloudfunctions.net|&check;|Explicit `overrides` value will direct to `private.googleapis.com`|

```hcl

module "private_apis" {

    source  = "memes/restricted-apis-dns/google"

    version = "1.3.0"

    project_id = "my-project-id"

    use_private_access_endpoints = true

    overrides = [

        "gcr.io",

        "pkg.dev",

        "cloudfunctions.net",

    ]

    network_self_links = [

        "projects/my-project-id/globals/network/my-network",

    ]

}

```

## Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.2 |

|  [google](#requirement\_google) | >= 4.42 |

## Modules

No modules.

## Resources

| Name | Type |

|------|------|

| [google_dns_managed_zone.googleapis](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone) | resource |

| [google_dns_managed_zone.overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone) | resource |

| [google_dns_record_set.googleapis_a](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |

| [google_dns_record_set.googleapis_aaaa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |

| [google_dns_record_set.googleapis_cname](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |

| [google_dns_record_set.overrides_a](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |

| [google_dns_record_set.overrides_aaaa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |

| [google_dns_record_set.overrides_cname](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [network\_self\_links](#input\_network\_self\_links) | Fully-qualified VPC network self-links to which the restricted APIs Cloud DNS
zones will be attached. If left empty, the Cloud DNS zones will need to be
associated with the VPCs outside this module. | `list(string)` | n/a | yes |

|  [project\_id](#input\_project\_id) | The GCP project identifier where the Cloud DNS resources will be created. | `string` | n/a | yes |

|  [labels](#input\_labels) | An optional map of key:value labels to apply to the resources. Default value
is an empty map. | `map(string)` | `{}` | no |

|  [name](#input\_name) | The name to use when naming resources managed by this module. Must be RFC1035
compliant and between 1 and 52 characters in length, inclusive. | `string` | `"restricted"` | no |

|  [overrides](#input\_overrides) | A list of additional Google Cloud endpoint domains that should be forced to
resolve through restricted.googleapis.com. These must be compatible with VPC
Service Controls. Default value will allow restricted access to GCR and GAR. | `list(string)` | 
[
  "gcr.io",
  "pkg.dev"
] | no |

|  [use\_private\_access\_endpoints](#input\_use\_private\_access\_endpoints) | Add Cloud DNS entries that resolve to the private.googleapis.com endpoints instead of restricted.googleapis.com. Use
this when creating VPCs which require private Google APIs access but for which the restricted endpoints are not
supported for target GCP services. | `bool` | `false` | no |

## Outputs

No outputs.

[multi-region-private-network]: https://registry.terraform.io/modules/memes/multi-region-private-network/google/latest?tab=readme

[cloud-dns]: https://registry.terraform.io/modules/terraform-google-modules/cloud-dns/google/4latest?tab=readme