Domain ownership verification failure when setting PTR record on google_compute_instance (public_ptr_domain_name)

MihaiBojin commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

To set a PTR DNS record for a Compute Instance you must verify that you own the domain. However, the operation may still fail, even after verifying the domain, and it is not immediately obvious why.

I'm proposing a documentation update to further clarify what users should do to successfully set PTR records.

The error usually looks like this:

Please verify ownership of the PTR domain at https://www.google.com/webmasters/verification/verification

ISSUE: It is not sufficient to verify the domain for your user!

SOLUTION: You must add ALL service accounts as verified domain owners in the Webmasters console.

For example, once I added the service user that interacts with GCP (i.e., [SERVICE_USER]@[PROJECT].iam.gserviceaccount.com), I could successfully apply the PTR record.

New or Affected Resource(s)

google_compute_instance (network_interface.access_config.public_ptr_domain_name)

Potential Terraform Configuration

resource "google_compute_instance" "default" {
  network_interface {
    network = "default"
    access_config {
      public_ptr_domain_name = "YOUR.DOMAIN.COM" # the running Google credentials must be a verified domain owner
    }
  }

  provider = google
  name = "default"
  machine_type = "e2-micro"
  zone = "europe-west3-c"

  boot_disk {
    initialize_params {
      image = "ubuntu-os-cloud/ubuntu-2004-focal-v20220712"
    }
  }
}


# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

Documenting this requirement would greatly help users in figuring out what they missed (for example, I just spent unnecessary time debugging why this wasn't working from Terraform but working from the Google Cloud UI; it wasn't immediately obvious that the service account should be the verified owner of the subdomain I was using)

References

1333

Public documentation pages:

b/321387251

MihaiBojin commented 2 years ago

I assume the verification behavior is correct (i.e., the principal operating on the Compute Engine instance must be a verified domain owner). If someone could confirm this, I'd be more than happy to submit a PR for the Terraform Provider page (and the Google site, though I suspect I wouldn't have access to it).

Thank you!

melinath commented 10 months ago

go/terraform-on-cgc may be useful if desired.

karolgorc commented 3 weeks ago

Hi, This behaviour is correct. There are 2 ways to verify your domain

You can verify your domain name in 2 ways:

If you have a Google account, you can verify by using Search Console.

If you have a Google or non-Google account, you can verify by adding your VM's IP address to your DNS configuration.

The DNS way wasn't publicly documented until we saw this issue. Here is the Google doc containing it https://cloud.google.com/compute/docs/instances/create-ptr-record

hashicorp / terraform-provider-google