Open MPV opened 5 years ago
Another idea:
Maybe it could be made possible to create/allocating the forwarding IPs beforehand using google_compute_address
resources (with INTERNAL
type and DNS_RESOLVER
purpose)?
...and then you could just send those allocated IPs into the google_dns_policy
as arguments.
I was also looking into this myself as well @MPV and it sounds like a decent workaround but the google_dns_policy
doesn't have a function where you could set a pre-existing allocated IP.
https://www.terraform.io/docs/providers/google/r/dns_policy.html
There is ipv4_address
but that is related to the alternative_name_server_config
block which is not the intended function to this use case.
@MPV do you know if there has been any movement on this? or has anybody found a feasible alternative solution in the meantime?
Would be worth upping the priority on this, being able to ref those inbound forwarder ip's will be useful in a multicloud dns deployment, amongst other things.
@danawillow Can we put this on the backlog? It is pending an upstream API change. There is no programmatic way of reliably linking the address and the dns policy.
Hi @upodroid, if this is a blocker for you and you have a Google-side contact (like a TAM or CE), you can ask them to file an issue against our team internally.
Thanks, it is not blocking me but the the Cloud DNS Team need to fix the api before I can fix it in terraform.
Google DNS Team have advised that this is working as intended, are we able to get terraform to leverage the gcloud command (below) to retrieve this instead of relying on the underlining api?
see update: https://issuetracker.google.com/issues/169585798
gcloud compute addresses list --filter="purpose=DNS_RESOLVER" --format='csv[no-heading](address, subnetwork)'
We can't shell out to gcloud from the provider, but it's possible for the provider to make the same API call that gcloud makes. I'll leave it up to the implementor to decide whether it makes more sense in a DNS resource or to add filtering capability to the address data source.
It is doable. Google forgot to mention that a VPC can only be bound to a single dns policy.
I think it should be a separate datasource considering that the IPs will change when subnets are changed
The most likely solution to this is a case of https://github.com/hashicorp/terraform-provider-google/issues/8255 which isn't supported yet.
is #8255 going to be the solution to this problem?
While we wait for a permanent solution (I like the #8255 suggestion), here's a quick and dirty fix:
Requirements:
Create the following script in your modules/yourmodule/scripts: get_dns_forwarder_ips.sh
#!/bin/bash
set -e
gcloud compute addresses list --filter='purpose="DNS_RESOLVER"' --format='json[no-heading](address, subnetwork)' | jq 'map({(.address): .subnetwork}) | add'
Execution of this script will output a map of ip:subnet pairs (I needed it like this, feel free to play with gcloud and jq filters anyway you like):
{
"10.50.1.3": "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west1/subnetworks/my-project-vpc-subnet-europe-west1",
"10.50.2.4": "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west2/subnetworks/my-project-vpc-subnet-europe-west2",
"10.50.3.4": "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west3/subnetworks/my-project-vpc-subnet-europe-west3",
"10.50.4.6": "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west6/subnetworks/my-project-vpc-subnet-europe-west6"
}
Now we use this script with external data source in your module's main.tf:
resource "google_dns_policy" "example-policy" {
name = "example-policy"
enable_inbound_forwarding = true
networks {
network_url = google_compute_network.network-1.id
}
networks {
network_url = google_compute_network.network-2.id
}
}
resource "google_compute_network" "network-1" {
name = "network-1"
auto_create_subnetworks = false
}
resource "google_compute_network" "network-2" {
name = "network-2"
auto_create_subnetworks = false
}
data "external" "dns_forwarder_ips" {
program = [ "bash", "${path.module}/scripts/get_forwarder_ips.sh" ]
depends_on = [
google_dns_policy.example-policy
]
}
output "dns_forwarder_ips" {
value = data.external.dns_forwarder_ips.result
}
Outputting data.external.dns_forwarder_ips.result will provide:
dns_forwarder_ips = tomap({
"10.50.1.3" = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west1/subnetworks/my-project-vpc-subnet-europe-west1"
"10.50.2.4" = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west2/subnetworks/my-project-vpc-subnet-europe-west2"
"10.50.3.4" = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west3/subnetworks/my-project-vpc-subnet-europe-west3"
"10.50.4.6" = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west6/subnetworks/my-project-vpc-subnet-europe-west6"
})
b/262524736
Implementing this as the google_compute_addresses
plural datasource makes the most sense from our perspective- calling GCE APIs from the DNS resource itself would take additional permissions.
Community Note
Description
Today when you create a private managed DNS zone (a dns_managed_zone with
visibility = "private"
), and want to use it from your hybrid/VPN environment, you'll want to add a DNS policy allowing this (a google_dns_policy withenable_inbound_forwarding = true
).After you've done this, when the policy is created, IP-address(es) are automatically created with "Inbound query forwarding IP(s)" (for each region/network).
I'd like to be able to output/refer to these new IPs in Terraform.
Today I can run something like this with the
gcloud
command to get these IP addresses:I imagine this could either be included as an optional return value of the
google_dns_policy
, or by addingtype
and/orpurpose
attributes to thegoogle_compute_address
data type, so that you can filter on those.The former makes more sense in my head, since it would make it possible to depend on the
google_dns_policy
and the order of the dependency graph would sort out that the policy and it's accompanying IP addresses are created before you can use them in something dependent upon it.New or Affected Resource(s)
google_dns_managed_zone
google_dns_policy
google_compute_address
(optionally)References