From 36d253f1d3283c7c3734a632958f78015b18e650 Mon Sep 17 00:00:00 2001
From: sruffilli <ilruffo@gmail.com>
Date: Wed, 12 May 2021 15:02:27 +0200
Subject: [PATCH] DNS Policies in net-vpc module (#238)

---
 modules/net-vpc/README.md    | 28 ++++++++++++++++++++++++++
 modules/net-vpc/main.tf      | 32 ++++++++++++++++++++++++++++++
 modules/net-vpc/variables.tf | 38 ++++++++++++++++++++++++------------
 3 files changed, 85 insertions(+), 13 deletions(-)

diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index 61e1b678a..fb6a6a5d4 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -141,6 +141,33 @@ module "vpc" {
 # tftest:modules=1:resources=4
 ```
 
+### DNS Policies
+
+```hcl
+module "vpc" {
+  source     = "./modules/net-vpc"
+  project_id = "my-project"
+  name       = "my-network"
+  dns_policy = {
+    inbound  = true
+    logging  = false
+    outbound = {
+      private_ns = ["10.0.0.1"]
+      public_ns  = ["8.8.8.8"]
+    }
+  }
+  subnets = [
+    {
+      ip_cidr_range      = "10.0.0.0/24"
+      name               = "production"
+      region             = "europe-west1"
+      secondary_ip_range = {}
+    }
+  ]
+}
+# tftest:modules=1:resources=3
+```
+
 <!-- BEGIN TFDOC -->
 ## Variables
 
@@ -151,6 +178,7 @@ module "vpc" {
 | *auto_create_subnetworks* | Set to true to create an auto mode subnet, defaults to custom mode. | <code title="">bool</code> |  | <code title="">false</code> |
 | *delete_default_routes_on_create* | Set to true to delete the default routes at creation time. | <code title="">bool</code> |  | <code title="">false</code> |
 | *description* | An optional description of this resource (triggers recreation on change). | <code title="">string</code> |  | <code title="">Terraform-managed.</code> |
+| *dns_policy* | None | <code title="object&#40;&#123;&#10;inbound &#61; bool&#10;logging &#61; bool&#10;outbound &#61; object&#40;&#123;&#10;private_ns &#61; list&#40;string&#41;&#10;public_ns  &#61; list&#40;string&#41;&#10;&#125;&#41;&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 | *iam* | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
 | *log_config_defaults* | Default configuration for flow logs when enabled. | <code title="object&#40;&#123;&#10;aggregation_interval &#61; string&#10;flow_sampling        &#61; number&#10;metadata             &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;aggregation_interval &#61; &#34;INTERVAL_5_SEC&#34;&#10;flow_sampling        &#61; 0.5&#10;metadata             &#61; &#34;INCLUDE_ALL_METADATA&#34;&#10;&#125;">...</code> |
 | *log_configs* | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code title="map&#40;map&#40;string&#41;&#41;">map(map(string))</code> |  | <code title="">{}</code> |
diff --git a/modules/net-vpc/main.tf b/modules/net-vpc/main.tf
index 0d41b9164..01998f4e7 100644
--- a/modules/net-vpc/main.tf
+++ b/modules/net-vpc/main.tf
@@ -239,6 +239,38 @@ resource "google_compute_global_address" "psn_range" {
   network       = local.network.id
 }
 
+resource "google_dns_policy" "dns_policy" {
+  count                     = var.dns_policy == null ? 0 : 1
+  enable_inbound_forwarding = var.dns_policy.inbound
+  enable_logging            = var.dns_policy.logging
+  name                      = "${var.name}-inbound-policy"
+  project                   = var.project_id
+  networks {
+    network_url = local.network.id
+  }
+
+  dynamic "alternative_name_server_config" {
+    for_each = var.dns_policy.outbound == null ? [] : [1]
+    content {
+      dynamic "target_name_servers" {
+        for_each = toset(var.dns_policy.outbound.private_ns)
+        iterator = ns
+        content {
+          ipv4_address    = ns.key
+          forwarding_path = "private"
+        }
+      }
+      dynamic "target_name_servers" {
+        for_each = toset(var.dns_policy.outbound.public_ns)
+        iterator = ns
+        content {
+          ipv4_address = ns.key
+        }
+      }
+    }
+  }
+}
+
 resource "google_service_networking_connection" "psn_connection" {
   count                   = var.private_service_networking_range == null ? 0 : 1
   network                 = local.network.id
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index b98f324cb..6422ac172 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -32,6 +32,18 @@ variable "description" {
   default     = "Terraform-managed."
 }
 
+variable "dns_policy" {
+  type = object({
+    inbound = bool
+    logging = bool
+    outbound = object({
+      private_ns = list(string)
+      public_ns  = list(string)
+    })
+  })
+  default = null
+}
+
 variable "iam" {
   description = "Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format."
   type        = map(map(list(string)))
@@ -84,6 +96,19 @@ variable "peering_create_remote_end" {
   default     = true
 }
 
+variable "private_service_networking_range" {
+  description = "RFC1919 CIDR range used for Google services that support private service networking."
+  type        = string
+  default     = null
+  validation {
+    condition = (
+      var.private_service_networking_range == null ||
+      can(cidrnetmask(var.private_service_networking_range))
+    )
+    error_message = "Specify a valid RFC1918 CIDR range for private service networking."
+  }
+}
+
 variable "project_id" {
   description = "The ID of the project where this VPC will be created"
   type        = string
@@ -159,16 +184,3 @@ variable "vpc_create" {
   type        = bool
   default     = true
 }
-
-variable "private_service_networking_range" {
-  description = "RFC1919 CIDR range used for Google services that support private service networking."
-  type        = string
-  default     = null
-  validation {
-    condition = (
-      var.private_service_networking_range == null ||
-      can(cidrnetmask(var.private_service_networking_range))
-    )
-    error_message = "Specify a valid RFC1918 CIDR range for private service networking."
-  }
-}