Simplify DNSSEC config

modules/dns/main.tf

@@ -99,9 +99,6 @@ resource "google_dns_managed_zone" "non-public" {
     }
   }
 
-  cloud_logging_config {
-    enable_logging = var.enable_logging
-  }
 }
 
 data "google_dns_managed_zone" "public" {
@@ -119,24 +116,25 @@ resource "google_dns_managed_zone" "public" {
   visibility  = "public"
 
   dynamic "dnssec_config" {
-    for_each = var.dnssec_config == {} ? [] : tolist([var.dnssec_config])
+    for_each = var.dnssec_config == null ? [] : [1]
     iterator = config
     content {
-      kind          = lookup(config.value, "kind", "dns#managedZoneDnsSecConfig")
-      non_existence = lookup(config.value, "non_existence", "nsec3")
-      state         = lookup(config.value, "state", "off")
+      kind          = "dns#managedZoneDnsSecConfig"
+      non_existence = var.dnssec_config.non_existence
+      state         = var.dnssec_config.state
 
       default_key_specs {
-        algorithm  = lookup(var.default_key_specs_key, "algorithm", "rsasha256")
-        key_length = lookup(var.default_key_specs_key, "key_length", 2048)
-        key_type   = lookup(var.default_key_specs_key, "key_type", "keySigning")
-        kind       = lookup(var.default_key_specs_key, "kind", "dns#dnsKeySpec")
+        algorithm  = var.dnssec_config.key_signing_key.algorithm
+        key_length = var.dnssec_config.key_signing_key.key_length
+        key_type   = "keySigning"
+        kind       = "dns#dnsKeySpec"
       }
+
       default_key_specs {
-        algorithm  = lookup(var.default_key_specs_zone, "algorithm", "rsasha256")
-        key_length = lookup(var.default_key_specs_zone, "key_length", 1024)
-        key_type   = lookup(var.default_key_specs_zone, "key_type", "zoneSigning")
-        kind       = lookup(var.default_key_specs_zone, "kind", "dns#dnsKeySpec")
+        algorithm  = var.dnssec_config.zone_signing_key.algorithm
+        key_length = var.dnssec_config.zone_signing_key.key_length
+        key_type   = "zoneSigning"
+        kind       = "dns#dnsKeySpec"
       }
     }
   }

modules/dns/variables.tf

@@ -25,18 +25,6 @@ variable "client_networks" {
   nullable    = false
 }
 
-variable "default_key_specs_key" {
-  description = "DNSSEC default key signing specifications: algorithm, key_length, key_type, kind."
-  type        = any
-  default     = {}
-}
-
-variable "default_key_specs_zone" {
-  description = "DNSSEC default zone signing specifications: algorithm, key_length, key_type, kind."
-  type        = any
-  default     = {}
-}
-
 variable "description" {
   description = "Domain description."
   type        = string
@@ -44,9 +32,20 @@ variable "description" {
 }
 
 variable "dnssec_config" {
-  description = "DNSSEC configuration: kind, non_existence, state."
-  type        = any
-  default     = {}
+  description = "DNSSEC configuration for this zone."
+  type = object({
+    non_existence = optional(string, "nsec3")
+    state         = string
+    key_signing_key = optional(object(
+      { algorithm = string, key_length = number }),
+      { algorithm = "rsasha256", key_length = 2048 }
+    )
+    zone_signing_key = optional(object(
+      { algorithm = string, key_length = number }),
+      { algorithm = "rsasha256", key_length = 1024 }
+    )
+  })
+  default = null
 }
 
 variable "domain" {
@@ -60,6 +59,13 @@ variable "forwarders" {
   default     = {}
 }
 
+variable "enable_logging" {
+  description = "Enable query logging for this zone. Only valid for public zones."
+  type        = bool
+  default     = false
+  nullable    = false
+}
+
 variable "name" {
   description = "Zone name, must be unique within the project."
   type        = string