From cacb0c02e25f3d7fb108d011b956fc6edf7b5a7c Mon Sep 17 00:00:00 2001
From: Miren Esnaola <mirene@google.com>
Date: Tue, 18 Jul 2023 19:32:57 +0200
Subject: [PATCH] Refactoring of dns module

---
 .../dns-fine-grained-iam/README.md            |   2 +-
 .../dns-fine-grained-iam/main.tf              |  17 +-
 .../cloud-operations/dns-shared-vpc/README.md |   2 +-
 .../cloud-operations/dns-shared-vpc/main.tf   |  40 +--
 .../factories/project-factory/README.md       |   2 +-
 blueprints/factories/project-factory/main.tf  |  17 +-
 .../onprem-google-access-dns/main.tf          |  49 ++--
 .../decentralized-firewall/README.md          |   2 +-
 .../networking/decentralized-firewall/main.tf |  30 ++-
 .../networking/filtering-proxy-psc/README.md  |   2 +-
 .../filtering-proxy-psc/consumer.tf           |  15 +-
 .../networking/filtering-proxy/README.md      |   4 +-
 blueprints/networking/filtering-proxy/main.tf |  15 +-
 .../networking/hub-and-spoke-vpn/README.md    |   2 +-
 .../networking/hub-and-spoke-vpn/net-dev.tf   |  32 ++-
 .../hub-and-spoke-vpn/net-landing.tf          |  15 +-
 .../networking/hub-and-spoke-vpn/net-prod.tf  |  32 ++-
 .../README.md                                 |   2 +-
 .../main.tf                                   |  15 +-
 .../networking/shared-vpc-gke/README.md       |   2 +-
 blueprints/networking/shared-vpc-gke/main.tf  |  15 +-
 .../serverless/cloud-run-corporate/README.md  |   6 +-
 .../serverless/cloud-run-corporate/main.tf    |  66 +++--
 fast/stages/2-networking-a-peering/dns-dev.tf |  49 ++--
 .../2-networking-a-peering/dns-landing.tf     |  49 ++--
 .../stages/2-networking-a-peering/dns-prod.tf |  49 ++--
 fast/stages/2-networking-b-vpn/dns-dev.tf     |  49 ++--
 fast/stages/2-networking-b-vpn/dns-landing.tf |  49 ++--
 fast/stages/2-networking-b-vpn/dns-prod.tf    |  49 ++--
 fast/stages/2-networking-c-nva/dns-dev.tf     |  49 ++--
 fast/stages/2-networking-c-nva/dns-landing.tf |  49 ++--
 fast/stages/2-networking-c-nva/dns-prod.tf    |  49 ++--
 .../2-networking-d-separate-envs/dns-dev.tf   |  49 ++--
 .../2-networking-d-separate-envs/dns-prod.tf  |  49 ++--
 fast/stages/2-networking-e-nva-bgp/dns-dev.tf |  49 ++--
 .../2-networking-e-nva-bgp/dns-landing.tf     |  49 ++--
 .../stages/2-networking-e-nva-bgp/dns-prod.tf |  49 ++--
 modules/dns/README.md                         | 119 +++++----
 modules/dns/main.tf                           | 244 ++++++------------
 modules/dns/outputs.tf                        |  17 +-
 modules/dns/variables.tf                      | 110 +++-----
 modules/service-directory/README.md           |  19 +-
 .../project_factory/examples/example.yaml     |   4 +-
 .../stages/s2_networking_a_peering/stage.yaml |   2 +-
 .../stages/s2_networking_b_vpn/stage.yaml     |   2 +-
 .../stages/s2_networking_c_nva/stage.yaml     |   2 +-
 .../s2_networking_d_separate_envs/stage.yaml  |   2 +-
 .../stages/s2_networking_e_nva_bgp/stage.yaml |   2 +-
 .../modules/dns/examples/forwarding-zone.yaml |   2 +-
 tests/modules/dns/examples/peering-zone.yaml  |   4 +-
 tests/modules/dns/examples/private-zone.yaml  |   6 +-
 tests/modules/dns/examples/public-zone.yaml   |   4 +-
 tests/modules/dns/examples/reverse-zone.yaml  |   2 +-
 .../dns/examples/routing-policies.yaml        |   8 +-
 tests/modules/dns/no_clients.tfvars           |   5 -
 tests/modules/dns/no_clients.yaml             |  25 --
 tests/modules/dns/null_forwarders.tfvars      |   4 -
 tests/modules/dns/null_forwarders.yaml        |  20 --
 tests/modules/dns/tftest.yaml                 |  19 --
 .../service_directory/examples/dns.yaml       |   2 +-
 60 files changed, 858 insertions(+), 836 deletions(-)
 delete mode 100644 tests/modules/dns/no_clients.tfvars
 delete mode 100644 tests/modules/dns/no_clients.yaml
 delete mode 100644 tests/modules/dns/null_forwarders.tfvars
 delete mode 100644 tests/modules/dns/null_forwarders.yaml
 delete mode 100644 tests/modules/dns/tftest.yaml

diff --git a/blueprints/cloud-operations/dns-fine-grained-iam/README.md b/blueprints/cloud-operations/dns-fine-grained-iam/README.md
index 6379495dd..db88b37b1 100644
--- a/blueprints/cloud-operations/dns-fine-grained-iam/README.md
+++ b/blueprints/cloud-operations/dns-fine-grained-iam/README.md
@@ -128,5 +128,5 @@ module "test1" {
   project_create = true
   project_id     = "test"
 }
-# tftest modules=9 resources=27
+# tftest modules=9 resources=28
 ```
diff --git a/blueprints/cloud-operations/dns-fine-grained-iam/main.tf b/blueprints/cloud-operations/dns-fine-grained-iam/main.tf
index c86774991..55e25e776 100644
--- a/blueprints/cloud-operations/dns-fine-grained-iam/main.tf
+++ b/blueprints/cloud-operations/dns-fine-grained-iam/main.tf
@@ -58,13 +58,16 @@ module "nat-a" {
 }
 
 module "dns-service-zone" {
-  source                      = "../../../modules/dns"
-  project_id                  = module.project.project_id
-  type                        = "service-directory"
-  name                        = var.name
-  domain                      = var.zone_domain
-  client_networks             = [module.vpc.self_link]
-  service_directory_namespace = module.service-directory.id
+  source     = "../../../modules/dns"
+  project_id = module.project.project_id
+  name       = var.name
+  zone_config = {
+    domain = var.zone_domain
+    private = {
+      client_networks             = [module.vpc.self_link]
+      service_directory_namespace = module.service-directory.id
+    }
+  }
 }
 
 module "service-directory" {
diff --git a/blueprints/cloud-operations/dns-shared-vpc/README.md b/blueprints/cloud-operations/dns-shared-vpc/README.md
index ed64d1de9..ad8d6125c 100644
--- a/blueprints/cloud-operations/dns-shared-vpc/README.md
+++ b/blueprints/cloud-operations/dns-shared-vpc/README.md
@@ -51,5 +51,5 @@ module "test" {
   shared_vpc_link    = "https://www.googleapis.com/compute/v1/projects/test-dns/global/networks/default"
   teams              = ["team1", "team2"]
 }
-# tftest modules=9 resources=16
+# tftest modules=9 resources=20
 ```
diff --git a/blueprints/cloud-operations/dns-shared-vpc/main.tf b/blueprints/cloud-operations/dns-shared-vpc/main.tf
index 4ade9476a..2c04e6dbb 100644
--- a/blueprints/cloud-operations/dns-shared-vpc/main.tf
+++ b/blueprints/cloud-operations/dns-shared-vpc/main.tf
@@ -39,24 +39,30 @@ module "vpc" {
 }
 
 module "dns-private" {
-  source          = "../../../modules/dns"
-  for_each        = local.projects
-  project_id      = each.value
-  type            = "private"
-  name            = each.key
-  domain          = "${each.key}.${var.dns_domain}."
-  description     = "DNS zone for ${each.key}"
-  client_networks = [module.vpc[each.key].self_link]
+  source      = "../../../modules/dns"
+  for_each    = local.projects
+  project_id  = each.value
+  name        = each.key
+  description = "DNS zone for ${each.key}"
+  zone_config = {
+    domain = "${each.key}.${var.dns_domain}."
+    private = {
+      client_networks = [module.vpc[each.key].self_link]
+    }
+  }
 }
 
 module "dns-peering" {
-  source          = "../../../modules/dns"
-  for_each        = local.projects
-  project_id      = local.svpc_project_id
-  name            = "peering-${each.key}"
-  domain          = "${each.key}.${var.dns_domain}."
-  description     = "DNS peering for ${each.key}"
-  type            = "peering"
-  peer_network    = module.vpc[each.key].self_link
-  client_networks = [var.shared_vpc_link]
+  source      = "../../../modules/dns"
+  for_each    = local.projects
+  project_id  = local.svpc_project_id
+  name        = "peering-${each.key}"
+  description = "DNS peering for ${each.key}"
+  zone_config = {
+    domain = "${each.key}.${var.dns_domain}."
+    peering = {
+      peer_network    = module.vpc[each.key].self_link
+      client_networks = [var.shared_vpc_link]
+    }
+  }
 }
diff --git a/blueprints/factories/project-factory/README.md b/blueprints/factories/project-factory/README.md
index 927edd73c..c121d2b26 100644
--- a/blueprints/factories/project-factory/README.md
+++ b/blueprints/factories/project-factory/README.md
@@ -76,7 +76,7 @@ module "projects" {
   service_identities_iam = try(each.value.service_identities_iam, {})
   vpc                    = try(each.value.vpc, null)
 }
-# tftest modules=7 resources=34 inventory=example.yaml
+# tftest modules=7 resources=36 inventory=example.yaml
 ```
 
 ### Projects configuration
diff --git a/blueprints/factories/project-factory/main.tf b/blueprints/factories/project-factory/main.tf
index 9dbe1721f..f70684f9c 100644
--- a/blueprints/factories/project-factory/main.tf
+++ b/blueprints/factories/project-factory/main.tf
@@ -167,13 +167,16 @@ module "billing-alert" {
 }
 
 module "dns" {
-  source          = "../../../modules/dns"
-  for_each        = toset(var.dns_zones)
-  project_id      = coalesce(local.vpc.host_project, module.project.project_id)
-  type            = "private"
-  name            = each.value
-  domain          = "${each.value}.${var.defaults.environment_dns_zone}"
-  client_networks = [var.defaults.shared_vpc_self_link]
+  source     = "../../../modules/dns"
+  for_each   = toset(var.dns_zones)
+  project_id = coalesce(local.vpc.host_project, module.project.project_id)
+  name       = each.value
+  zone_config = {
+    domain = "${each.value}.${var.defaults.environment_dns_zone}"
+    private = {
+      client_networks = [var.defaults.shared_vpc_self_link]
+    }
+  }
 }
 
 module "project" {
diff --git a/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf b/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf
index 24e7ca4d5..c122e4545 100644
--- a/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf
+++ b/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf
@@ -157,12 +157,15 @@ module "nat2" {
 ################################################################################
 
 module "dns-gcp" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "private"
-  name            = "gcp-example"
-  domain          = "gcp.example.org."
-  client_networks = [module.vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "gcp-example"
+  zone_config = {
+    domain = "gcp.example.org."
+    private = {
+      client_networks = [module.vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
     "A test-1"    = { records = [module.vm-test1.internal_ip] }
@@ -171,12 +174,15 @@ module "dns-gcp" {
 }
 
 module "dns-api" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "private"
-  name            = "googleapis"
-  domain          = "googleapis.com."
-  client_networks = [module.vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "googleapis"
+  zone_config = {
+    domain = "googleapis.com."
+    private = {
+      client_networks = [module.vpc.self_link]
+    }
+  }
   recordsets = {
     "CNAME *"      = { records = ["private.googleapis.com."] }
     "A private"    = { records = local.vips.private }
@@ -185,14 +191,17 @@ module "dns-api" {
 }
 
 module "dns-onprem" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "forwarding"
-  name            = "onprem-example"
-  domain          = "onprem.example.org."
-  client_networks = [module.vpc.self_link]
-  forwarders = {
-    "${cidrhost(var.ip_ranges.onprem, 3)}" = null
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "onprem-example"
+  zone_config = {
+    domain = "onprem.example.org."
+    forwarding = {
+      client_networks = [module.vpc.self_link]
+      forwarders = {
+        "${cidrhost(var.ip_ranges.onprem, 3)}" = null
+      }
+    }
   }
 }
 
diff --git a/blueprints/networking/decentralized-firewall/README.md b/blueprints/networking/decentralized-firewall/README.md
index 2fd89640c..a4eea93f9 100644
--- a/blueprints/networking/decentralized-firewall/README.md
+++ b/blueprints/networking/decentralized-firewall/README.md
@@ -51,5 +51,5 @@ module "test" {
   root_node          = "organizations/0123456789"
 }
 
-# tftest modules=9 resources=54
+# tftest modules=9 resources=56
 ```
diff --git a/blueprints/networking/decentralized-firewall/main.tf b/blueprints/networking/decentralized-firewall/main.tf
index a05a104ff..b994dc291 100644
--- a/blueprints/networking/decentralized-firewall/main.tf
+++ b/blueprints/networking/decentralized-firewall/main.tf
@@ -77,24 +77,30 @@ module "vpc-dev" {
 ###############################################################################
 
 module "dns-api-prod" {
-  source          = "../../../modules/dns"
-  project_id      = module.project-host-prod.project_id
-  type            = "private"
-  name            = "googleapis"
-  domain          = "googleapis.com."
-  client_networks = [module.vpc-prod.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project-host-prod.project_id
+  name       = "googleapis"
+  zone_config = {
+    domain = "googleapis.com."
+    private = {
+      client_networks = [module.vpc-prod.self_link]
+    }
+  }
   recordsets = {
     "CNAME *" = { records = ["private.googleapis.com."] }
   }
 }
 
 module "dns-api-dev" {
-  source          = "../../../modules/dns"
-  project_id      = module.project-host-dev.project_id
-  type            = "private"
-  name            = "googleapis"
-  domain          = "googleapis.com."
-  client_networks = [module.vpc-dev.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project-host-dev.project_id
+  name       = "googleapis"
+  zone_config = {
+    domain = "googleapis.com."
+    private = {
+      client_networks = [module.vpc-dev.self_link]
+    }
+  }
   recordsets = {
     "CNAME *" = { records = ["private.googleapis.com."] }
   }
diff --git a/blueprints/networking/filtering-proxy-psc/README.md b/blueprints/networking/filtering-proxy-psc/README.md
index dd9f05858..b3d90cefb 100644
--- a/blueprints/networking/filtering-proxy-psc/README.md
+++ b/blueprints/networking/filtering-proxy-psc/README.md
@@ -40,5 +40,5 @@ module "test" {
   }
   project_id = "test-project"
 }
-# tftest modules=13 resources=41
+# tftest modules=13 resources=42
 ```
diff --git a/blueprints/networking/filtering-proxy-psc/consumer.tf b/blueprints/networking/filtering-proxy-psc/consumer.tf
index bac20db72..6668afb72 100644
--- a/blueprints/networking/filtering-proxy-psc/consumer.tf
+++ b/blueprints/networking/filtering-proxy-psc/consumer.tf
@@ -81,12 +81,15 @@ resource "google_compute_forwarding_rule" "psc_ilb_consumer" {
 ###############################################################################
 
 module "private-dns" {
-  source          = "../../../modules/dns"
-  project_id      = module.project.project_id
-  type            = "private"
-  name            = "${var.prefix}-internal"
-  domain          = "internal."
-  client_networks = [module.vpc-consumer.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project.project_id
+  name       = "${var.prefix}-internal"
+  zone_config = {
+    domain = "internal."
+    private = {
+      client_networks = [module.vpc-consumer.self_link]
+    }
+  }
   recordsets = {
     "A squid"     = { ttl = 60, records = [google_compute_address.psc_endpoint_address.address] }
     "CNAME proxy" = { ttl = 3600, records = ["squid.internal."] }
diff --git a/blueprints/networking/filtering-proxy/README.md b/blueprints/networking/filtering-proxy/README.md
index 70dcf6df5..5ed64067c 100644
--- a/blueprints/networking/filtering-proxy/README.md
+++ b/blueprints/networking/filtering-proxy/README.md
@@ -47,7 +47,7 @@ module "test1" {
   prefix          = "fabric"
   root_node       = "folders/123456789"
 }
-# tftest modules=14 resources=38
+# tftest modules=14 resources=39
 ```
 
 ```hcl
@@ -58,5 +58,5 @@ module "test2" {
   prefix          = "fabric"
   root_node       = "folders/123456789"
 }
-# tftest modules=12 resources=32
+# tftest modules=12 resources=33
 ```
diff --git a/blueprints/networking/filtering-proxy/main.tf b/blueprints/networking/filtering-proxy/main.tf
index 127369320..d6fce6d0a 100644
--- a/blueprints/networking/filtering-proxy/main.tf
+++ b/blueprints/networking/filtering-proxy/main.tf
@@ -114,12 +114,15 @@ module "nat" {
 }
 
 module "private-dns" {
-  source          = "../../../modules/dns"
-  project_id      = module.project-host.project_id
-  type            = "private"
-  name            = "internal"
-  domain          = "internal."
-  client_networks = [module.vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project-host.project_id
+  name       = "internal"
+  zone_config = {
+    domain = "internal."
+    private = {
+      client_networks = [module.vpc.self_link]
+    }
+  }
   recordsets = {
     "A squid"     = { ttl = 60, records = [local.squid_address] }
     "CNAME proxy" = { ttl = 3600, records = ["squid.internal."] }
diff --git a/blueprints/networking/hub-and-spoke-vpn/README.md b/blueprints/networking/hub-and-spoke-vpn/README.md
index d0f2d1f08..d16a53fbb 100644
--- a/blueprints/networking/hub-and-spoke-vpn/README.md
+++ b/blueprints/networking/hub-and-spoke-vpn/README.md
@@ -114,5 +114,5 @@ module "test" {
   project_id = "project-1"
 }
 
-# tftest modules=20 resources=79
+# tftest modules=20 resources=84
 ```
diff --git a/blueprints/networking/hub-and-spoke-vpn/net-dev.tf b/blueprints/networking/hub-and-spoke-vpn/net-dev.tf
index f7cf84dba..d582a79f7 100644
--- a/blueprints/networking/hub-and-spoke-vpn/net-dev.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/net-dev.tf
@@ -48,22 +48,28 @@ module "dev-firewall" {
 }
 
 module "dev-dns-peering" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "peering"
-  name            = "${var.prefix}-example-com-dev-peering"
-  domain          = "example.com."
-  client_networks = [module.dev-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "${var.prefix}-example-com-dev-peering"
+  zone_config = {
+    domain = "example.com."
+    peering = {
+      client_networks = [module.dev-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
 
 module "dev-dns-zone" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "private"
-  name            = "${var.prefix}-dev-example-com"
-  domain          = "dev.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "${var.prefix}-dev-example-com"
+  zone_config = {
+    domain = "dev.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
     "A test-r2"   = { records = [module.dev-r2-vm.internal_ip] }
diff --git a/blueprints/networking/hub-and-spoke-vpn/net-landing.tf b/blueprints/networking/hub-and-spoke-vpn/net-landing.tf
index 31fdb8561..ad7315d4f 100644
--- a/blueprints/networking/hub-and-spoke-vpn/net-landing.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/net-landing.tf
@@ -48,12 +48,15 @@ module "landing-firewall" {
 }
 
 module "landing-dns-zone" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "private"
-  name            = "${var.prefix}-example-com"
-  domain          = "example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "${var.prefix}-example-com"
+  zone_config = {
+    domain = "example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
     "A test-r1"   = { records = [module.landing-r1-vm.internal_ip] }
diff --git a/blueprints/networking/hub-and-spoke-vpn/net-prod.tf b/blueprints/networking/hub-and-spoke-vpn/net-prod.tf
index ec3260215..a76ac7789 100644
--- a/blueprints/networking/hub-and-spoke-vpn/net-prod.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/net-prod.tf
@@ -48,22 +48,28 @@ module "prod-firewall" {
 }
 
 module "prod-dns-peering" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "peering"
-  name            = "${var.prefix}-example-com-prd-peering"
-  domain          = "example.com."
-  client_networks = [module.prod-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "${var.prefix}-example-com-prd-peering"
+  zone_config = {
+    domain = "example.com."
+    peering = {
+      client_networks = [module.prod-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
 
 module "prod-dns-zone" {
-  source          = "../../../modules/dns"
-  project_id      = var.project_id
-  type            = "private"
-  name            = "${var.prefix}-prd-example-com"
-  domain          = "prd.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = var.project_id
+  name       = "${var.prefix}-prd-example-com"
+  zone_config = {
+    domain = "prd.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
     "A test-r1"   = { records = [module.prod-r1-vm.internal_ip] }
diff --git a/blueprints/networking/private-cloud-function-from-onprem/README.md b/blueprints/networking/private-cloud-function-from-onprem/README.md
index 4951454f9..4bb9d4d98 100644
--- a/blueprints/networking/private-cloud-function-from-onprem/README.md
+++ b/blueprints/networking/private-cloud-function-from-onprem/README.md
@@ -45,5 +45,5 @@ module "test" {
   }
   project_id = "test-project"
 }
-# tftest modules=11 resources=44
+# tftest modules=11 resources=45
 ```
diff --git a/blueprints/networking/private-cloud-function-from-onprem/main.tf b/blueprints/networking/private-cloud-function-from-onprem/main.tf
index 77b7dfb69..c44ac7858 100644
--- a/blueprints/networking/private-cloud-function-from-onprem/main.tf
+++ b/blueprints/networking/private-cloud-function-from-onprem/main.tf
@@ -199,12 +199,15 @@ module "function-hello" {
 ###############################################################################
 
 module "private-dns-onprem" {
-  source          = "../../../modules/dns"
-  project_id      = module.project.project_id
-  type            = "private"
-  name            = var.name
-  domain          = "${var.region}-${module.project.project_id}.cloudfunctions.net."
-  client_networks = [module.vpc-onprem.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project.project_id
+  name       = var.name
+  zone_config = {
+    domain = "${var.region}-${module.project.project_id}.cloudfunctions.net."
+    private = {
+      client_networks = [module.vpc-onprem.self_link]
+    }
+  }
   recordsets = {
     "A " = { records = [module.addresses.psc_addresses[local.psc_name].address] }
   }
diff --git a/blueprints/networking/shared-vpc-gke/README.md b/blueprints/networking/shared-vpc-gke/README.md
index a60dea0c9..6aac2855f 100644
--- a/blueprints/networking/shared-vpc-gke/README.md
+++ b/blueprints/networking/shared-vpc-gke/README.md
@@ -80,5 +80,5 @@ module "test" {
   prefix             = "test"
   root_node          = "organizations/0123456789"
 }
-# tftest modules=11 resources=45
+# tftest modules=11 resources=46
 ```
diff --git a/blueprints/networking/shared-vpc-gke/main.tf b/blueprints/networking/shared-vpc-gke/main.tf
index 3d7577b4a..dafb2704d 100644
--- a/blueprints/networking/shared-vpc-gke/main.tf
+++ b/blueprints/networking/shared-vpc-gke/main.tf
@@ -152,12 +152,15 @@ module "nat" {
 ################################################################################
 
 module "host-dns" {
-  source          = "../../../modules/dns"
-  project_id      = module.project-host.project_id
-  type            = "private"
-  name            = "example"
-  domain          = "example.com."
-  client_networks = [module.vpc-shared.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.project-host.project_id
+  name       = "example"
+  zone_config = {
+    domain = "example.com."
+    private = {
+      client_networks = [module.vpc-shared.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
     "A bastion"   = { records = [module.vm-bastion.internal_ip] }
diff --git a/blueprints/serverless/cloud-run-corporate/README.md b/blueprints/serverless/cloud-run-corporate/README.md
index 93f98c549..5fabf182f 100644
--- a/blueprints/serverless/cloud-run-corporate/README.md
+++ b/blueprints/serverless/cloud-run-corporate/README.md
@@ -252,7 +252,7 @@ module "test" {
   prj_onprem_id = "onprem-project-id"
 }
 
-# tftest modules=15 resources=50
+# tftest modules=15 resources=52
 ```
 
 ```hcl
@@ -276,7 +276,7 @@ module "test" {
   tf_identity = "user@example.org"
 }
 
-# tftest modules=15 resources=36
+# tftest modules=15 resources=38
 ```
 
 ```hcl
@@ -295,5 +295,5 @@ module "test" {
   custom_domain = "cloud-run-corporate.example.org"
 }
 
-# tftest modules=14 resources=45
+# tftest modules=14 resources=47
 ```
diff --git a/blueprints/serverless/cloud-run-corporate/main.tf b/blueprints/serverless/cloud-run-corporate/main.tf
index aca41c284..196569a91 100644
--- a/blueprints/serverless/cloud-run-corporate/main.tf
+++ b/blueprints/serverless/cloud-run-corporate/main.tf
@@ -490,51 +490,63 @@ module "vm_test_svc1" {
 ###############################################################################
 
 module "private_dns_main" {
-  source          = "../../../modules/dns"
-  project_id      = module.project_main.project_id
-  type            = "private"
-  name            = "dns-main"
-  client_networks = [module.vpc_main.self_link]
-  domain          = local.cloud_run_domain
+  source     = "../../../modules/dns"
+  project_id = module.project_main.project_id
+  name       = "dns-main"
+  zone_config = {
+    domain = local.cloud_run_domain
+    private = {
+      client_networks = [module.vpc_main.self_link]
+    }
+  }
   recordsets = {
     "A *" = { records = [module.psc_addr_main.psc_addresses["psc-addr"].address] }
   }
 }
 
 module "private_dns_main_custom" {
-  source          = "../../../modules/dns"
-  count           = var.custom_domain == null ? 0 : 1
-  project_id      = module.project_main.project_id
-  type            = "private"
-  name            = "dns-main-custom"
-  client_networks = [module.vpc_main.self_link]
-  domain          = format("%s.", var.custom_domain)
+  source     = "../../../modules/dns"
+  count      = var.custom_domain == null ? 0 : 1
+  project_id = module.project_main.project_id
+  name       = "dns-main-custom"
+  zone_config = {
+    domain = format("%s.", var.custom_domain)
+    private = {
+      client_networks = [module.vpc_main.self_link]
+    }
+  }
   recordsets = {
     "A " = { records = [module.ilb-l7[0].address] }
   }
 }
 
 module "private_dns_onprem" {
-  source          = "../../../modules/dns"
-  count           = length(module.project_onprem)
-  project_id      = module.project_onprem[0].project_id
-  type            = "private"
-  name            = "dns-onprem"
-  client_networks = [module.vpc_onprem[0].self_link]
-  domain          = local.cloud_run_domain
+  source     = "../../../modules/dns"
+  count      = length(module.project_onprem)
+  project_id = module.project_onprem[0].project_id
+  name       = "dns-onprem"
+  zone_config = {
+    domain = local.cloud_run_domain
+    private = {
+      client_networks = [module.vpc_onprem[0].self_link]
+    }
+  }
   recordsets = {
     "A *" = { records = [module.psc_addr_main.psc_addresses["psc-addr"].address] }
   }
 }
 
 module "private_dns_prj1" {
-  source          = "../../../modules/dns"
-  count           = length(module.project_prj1)
-  project_id      = module.project_prj1[0].project_id
-  type            = "private"
-  name            = "dns-prj1"
-  client_networks = [module.vpc_prj1[0].self_link]
-  domain          = local.cloud_run_domain
+  source     = "../../../modules/dns"
+  count      = length(module.project_prj1)
+  project_id = module.project_prj1[0].project_id
+  name       = "dns-prj1"
+  zone_config = {
+    domain = local.cloud_run_domain
+    private = {
+      client_networks = [module.vpc_prj1[0].self_link]
+    }
+  }
   recordsets = {
     "A *" = { records = [module.psc_addr_prj1[0].psc_addresses["psc-addr"].address] }
   }
diff --git a/fast/stages/2-networking-a-peering/dns-dev.tf b/fast/stages/2-networking-a-peering/dns-dev.tf
index efeabeaec..f40281fb5 100644
--- a/fast/stages/2-networking-a-peering/dns-dev.tf
+++ b/fast/stages/2-networking-a-peering/dns-dev.tf
@@ -24,12 +24,15 @@ moved {
 }
 
 module "dev-dns-priv-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "private"
-  name            = "dev-gcp-example-com"
-  domain          = "dev.gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-gcp-example-com"
+  zone_config = {
+    domain = "dev.gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
@@ -43,13 +46,16 @@ moved {
 }
 
 module "dev-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-root-dns-peering"
-  domain          = "."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
 
 moved {
@@ -58,11 +64,14 @@ moved {
 }
 
 module "dev-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
diff --git a/fast/stages/2-networking-a-peering/dns-landing.tf b/fast/stages/2-networking-a-peering/dns-landing.tf
index e6a441a52..dcdb5cee3 100644
--- a/fast/stages/2-networking-a-peering/dns-landing.tf
+++ b/fast/stages/2-networking-a-peering/dns-landing.tf
@@ -24,13 +24,16 @@ moved {
 }
 
 module "landing-dns-fwd-onprem-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "forwarding"
-  name            = "example-com"
-  domain          = "onprem.example.com."
-  client_networks = [module.landing-vpc.self_link]
-  forwarders      = { for ip in var.dns.onprem : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "example-com"
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [module.landing-vpc.self_link]
+      forwarders      = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }
 
 moved {
@@ -39,13 +42,16 @@ moved {
 }
 
 module "landing-dns-fwd-onprem-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "forwarding"
-  name            = "root-reverse-10"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.landing-vpc.self_link]
-  forwarders      = { for ip in var.dns.onprem : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "root-reverse-10"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [module.landing-vpc.self_link]
+      forwarders      = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }
 
 moved {
@@ -54,12 +60,15 @@ moved {
 }
 
 module "landing-dns-priv-gcp" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "private"
-  name            = "gcp-example-com"
-  domain          = "gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "gcp-example-com"
+  zone_config = {
+    domain = "gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
diff --git a/fast/stages/2-networking-a-peering/dns-prod.tf b/fast/stages/2-networking-a-peering/dns-prod.tf
index 02fa8c239..6bd34be8f 100644
--- a/fast/stages/2-networking-a-peering/dns-prod.tf
+++ b/fast/stages/2-networking-a-peering/dns-prod.tf
@@ -24,12 +24,15 @@ moved {
 }
 
 module "prod-dns-priv-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "private"
-  name            = "prod-gcp-example-com"
-  domain          = "prod.gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-gcp-example-com"
+  zone_config = {
+    domain = "prod.gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
@@ -43,13 +46,16 @@ moved {
 }
 
 module "prod-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-root-dns-peering"
-  domain          = "."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
 
 moved {
@@ -58,11 +64,14 @@ moved {
 }
 
 module "prod-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
diff --git a/fast/stages/2-networking-b-vpn/dns-dev.tf b/fast/stages/2-networking-b-vpn/dns-dev.tf
index efeabeaec..f40281fb5 100644
--- a/fast/stages/2-networking-b-vpn/dns-dev.tf
+++ b/fast/stages/2-networking-b-vpn/dns-dev.tf
@@ -24,12 +24,15 @@ moved {
 }
 
 module "dev-dns-priv-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "private"
-  name            = "dev-gcp-example-com"
-  domain          = "dev.gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-gcp-example-com"
+  zone_config = {
+    domain = "dev.gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
@@ -43,13 +46,16 @@ moved {
 }
 
 module "dev-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-root-dns-peering"
-  domain          = "."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
 
 moved {
@@ -58,11 +64,14 @@ moved {
 }
 
 module "dev-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
diff --git a/fast/stages/2-networking-b-vpn/dns-landing.tf b/fast/stages/2-networking-b-vpn/dns-landing.tf
index e6a441a52..dcdb5cee3 100644
--- a/fast/stages/2-networking-b-vpn/dns-landing.tf
+++ b/fast/stages/2-networking-b-vpn/dns-landing.tf
@@ -24,13 +24,16 @@ moved {
 }
 
 module "landing-dns-fwd-onprem-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "forwarding"
-  name            = "example-com"
-  domain          = "onprem.example.com."
-  client_networks = [module.landing-vpc.self_link]
-  forwarders      = { for ip in var.dns.onprem : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "example-com"
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [module.landing-vpc.self_link]
+      forwarders      = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }
 
 moved {
@@ -39,13 +42,16 @@ moved {
 }
 
 module "landing-dns-fwd-onprem-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "forwarding"
-  name            = "root-reverse-10"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.landing-vpc.self_link]
-  forwarders      = { for ip in var.dns.onprem : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "root-reverse-10"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [module.landing-vpc.self_link]
+      forwarders      = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }
 
 moved {
@@ -54,12 +60,15 @@ moved {
 }
 
 module "landing-dns-priv-gcp" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "private"
-  name            = "gcp-example-com"
-  domain          = "gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "gcp-example-com"
+  zone_config = {
+    domain = "gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
diff --git a/fast/stages/2-networking-b-vpn/dns-prod.tf b/fast/stages/2-networking-b-vpn/dns-prod.tf
index 02fa8c239..6bd34be8f 100644
--- a/fast/stages/2-networking-b-vpn/dns-prod.tf
+++ b/fast/stages/2-networking-b-vpn/dns-prod.tf
@@ -24,12 +24,15 @@ moved {
 }
 
 module "prod-dns-priv-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "private"
-  name            = "prod-gcp-example-com"
-  domain          = "prod.gcp.example.com."
-  client_networks = [module.landing-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-gcp-example-com"
+  zone_config = {
+    domain = "prod.gcp.example.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
@@ -43,13 +46,16 @@ moved {
 }
 
 module "prod-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-root-dns-peering"
-  domain          = "."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
 
 moved {
@@ -58,11 +64,14 @@ moved {
 }
 
 module "prod-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-vpc.self_link
+    }
+  }
 }
diff --git a/fast/stages/2-networking-c-nva/dns-dev.tf b/fast/stages/2-networking-c-nva/dns-dev.tf
index 98d56aa72..ccedee721 100644
--- a/fast/stages/2-networking-c-nva/dns-dev.tf
+++ b/fast/stages/2-networking-c-nva/dns-dev.tf
@@ -19,12 +19,15 @@
 # GCP-specific environment zone
 
 module "dev-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "private"
-  name            = "dev-gcp-example-com"
-  domain          = "dev.gcp.example.com."
-  client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-gcp-example-com"
+  zone_config = {
+    domain = "dev.gcp.example.com."
+    private = {
+      client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
@@ -38,13 +41,16 @@ moved {
 }
 
 module "dev-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-root-dns-peering"
-  domain          = "."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
 
 moved {
@@ -53,11 +59,14 @@ moved {
 }
 
 module "dev-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
diff --git a/fast/stages/2-networking-c-nva/dns-landing.tf b/fast/stages/2-networking-c-nva/dns-landing.tf
index 50b658901..5c8e17775 100644
--- a/fast/stages/2-networking-c-nva/dns-landing.tf
+++ b/fast/stages/2-networking-c-nva/dns-landing.tf
@@ -26,14 +26,17 @@ moved {
 module "landing-dns-fwd-onprem-example" {
   source     = "../../../modules/dns"
   project_id = module.landing-project.project_id
-  type       = "forwarding"
   name       = "example-com"
-  domain     = "onprem.example.com."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
-  forwarders = { for ip in var.dns.onprem : ip => null }
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+      forwarders = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }
 
 moved {
@@ -44,14 +47,17 @@ moved {
 module "landing-dns-fwd-onprem-rev-10" {
   source     = "../../../modules/dns"
   project_id = module.landing-project.project_id
-  type       = "forwarding"
   name       = "root-reverse-10"
-  domain     = "10.in-addr.arpa."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
-  forwarders = { for ip in var.dns.onprem : ip => null }
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+      forwarders = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }
 
 moved {
@@ -62,13 +68,16 @@ moved {
 module "landing-dns-priv-gcp" {
   source     = "../../../modules/dns"
   project_id = module.landing-project.project_id
-  type       = "private"
   name       = "gcp-example-com"
-  domain     = "gcp.example.com."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
+  zone_config = {
+    domain = "gcp.example.com."
+    private = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
diff --git a/fast/stages/2-networking-c-nva/dns-prod.tf b/fast/stages/2-networking-c-nva/dns-prod.tf
index 5627e4386..62cfab03c 100644
--- a/fast/stages/2-networking-c-nva/dns-prod.tf
+++ b/fast/stages/2-networking-c-nva/dns-prod.tf
@@ -19,12 +19,15 @@
 # GCP-specific environment zone
 
 module "prod-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "private"
-  name            = "prod-gcp-example-com"
-  domain          = "prod.gcp.example.com."
-  client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-gcp-example-com"
+  zone_config = {
+    domain = "prod.gcp.example.com."
+    private = {
+      client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
@@ -38,13 +41,16 @@ moved {
 }
 
 module "prod-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-root-dns-peering"
-  domain          = "."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
 
 moved {
@@ -53,11 +59,14 @@ moved {
 }
 
 module "prod-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
diff --git a/fast/stages/2-networking-d-separate-envs/dns-dev.tf b/fast/stages/2-networking-d-separate-envs/dns-dev.tf
index 134b69cff..bad0db192 100644
--- a/fast/stages/2-networking-d-separate-envs/dns-dev.tf
+++ b/fast/stages/2-networking-d-separate-envs/dns-dev.tf
@@ -19,12 +19,15 @@
 # GCP-specific environment zone
 
 module "dev-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "private"
-  name            = "dev-gcp-example-com"
-  domain          = "dev.gcp.example.com."
-  client_networks = [module.dev-spoke-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-gcp-example-com"
+  zone_config = {
+    domain = "dev.gcp.example.com."
+    private = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
@@ -36,13 +39,16 @@ moved {
 }
 
 module "dev-dns-fwd-onprem-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "forwarding"
-  name            = "example-com"
-  domain          = "onprem.example.com."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  forwarders      = { for ip in var.dns.dev : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "example-com"
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      forwarders      = { for ip in var.dns.dev : ip => null }
+    }
+  }
 }
 
 moved {
@@ -51,13 +57,16 @@ moved {
 }
 
 module "dev-dns-fwd-onprem-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "forwarding"
-  name            = "root-reverse-10"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  forwarders      = { for ip in var.dns.dev : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "root-reverse-10"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      forwarders      = { for ip in var.dns.dev : ip => null }
+    }
+  }
 }
 
 # Google APIs
diff --git a/fast/stages/2-networking-d-separate-envs/dns-prod.tf b/fast/stages/2-networking-d-separate-envs/dns-prod.tf
index 351db57f0..17d3d531b 100644
--- a/fast/stages/2-networking-d-separate-envs/dns-prod.tf
+++ b/fast/stages/2-networking-d-separate-envs/dns-prod.tf
@@ -19,12 +19,15 @@
 # GCP-specific environment zone
 
 module "prod-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "private"
-  name            = "prod-gcp-example-com"
-  domain          = "prod.gcp.example.com."
-  client_networks = [module.prod-spoke-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-gcp-example-com"
+  zone_config = {
+    domain = "prod.gcp.example.com."
+    private = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
@@ -36,13 +39,16 @@ moved {
 }
 
 module "prod-dns-fwd-onprem-example" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "forwarding"
-  name            = "example-com"
-  domain          = "onprem.example.com."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  forwarders      = { for ip in var.dns.prod : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "example-com"
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      forwarders      = { for ip in var.dns.prod : ip => null }
+    }
+  }
 }
 
 moved {
@@ -51,13 +57,16 @@ moved {
 }
 
 module "prod-dns-fwd-onprem-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "forwarding"
-  name            = "root-reverse-10"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  forwarders      = { for ip in var.dns.prod : ip => null }
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "root-reverse-10"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      forwarders      = { for ip in var.dns.prod : ip => null }
+    }
+  }
 }
 
 # Google APIs
diff --git a/fast/stages/2-networking-e-nva-bgp/dns-dev.tf b/fast/stages/2-networking-e-nva-bgp/dns-dev.tf
index 98d56aa72..ccedee721 100644
--- a/fast/stages/2-networking-e-nva-bgp/dns-dev.tf
+++ b/fast/stages/2-networking-e-nva-bgp/dns-dev.tf
@@ -19,12 +19,15 @@
 # GCP-specific environment zone
 
 module "dev-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "private"
-  name            = "dev-gcp-example-com"
-  domain          = "dev.gcp.example.com."
-  client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-gcp-example-com"
+  zone_config = {
+    domain = "dev.gcp.example.com."
+    private = {
+      client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
@@ -38,13 +41,16 @@ moved {
 }
 
 module "dev-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-root-dns-peering"
-  domain          = "."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
 
 moved {
@@ -53,11 +59,14 @@ moved {
 }
 
 module "dev-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.dev-spoke-project.project_id
-  type            = "peering"
-  name            = "dev-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.dev-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "dev-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
diff --git a/fast/stages/2-networking-e-nva-bgp/dns-landing.tf b/fast/stages/2-networking-e-nva-bgp/dns-landing.tf
index 50b658901..5c8e17775 100644
--- a/fast/stages/2-networking-e-nva-bgp/dns-landing.tf
+++ b/fast/stages/2-networking-e-nva-bgp/dns-landing.tf
@@ -26,14 +26,17 @@ moved {
 module "landing-dns-fwd-onprem-example" {
   source     = "../../../modules/dns"
   project_id = module.landing-project.project_id
-  type       = "forwarding"
   name       = "example-com"
-  domain     = "onprem.example.com."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
-  forwarders = { for ip in var.dns.onprem : ip => null }
+  zone_config = {
+    domain = "onprem.example.com."
+    forwarding = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+      forwarders = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }
 
 moved {
@@ -44,14 +47,17 @@ moved {
 module "landing-dns-fwd-onprem-rev-10" {
   source     = "../../../modules/dns"
   project_id = module.landing-project.project_id
-  type       = "forwarding"
   name       = "root-reverse-10"
-  domain     = "10.in-addr.arpa."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
-  forwarders = { for ip in var.dns.onprem : ip => null }
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    forwarding = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+      forwarders = { for ip in var.dns.onprem : ip => null }
+    }
+  }
 }
 
 moved {
@@ -62,13 +68,16 @@ moved {
 module "landing-dns-priv-gcp" {
   source     = "../../../modules/dns"
   project_id = module.landing-project.project_id
-  type       = "private"
   name       = "gcp-example-com"
-  domain     = "gcp.example.com."
-  client_networks = [
-    module.landing-untrusted-vpc.self_link,
-    module.landing-trusted-vpc.self_link
-  ]
+  zone_config = {
+    domain = "gcp.example.com."
+    private = {
+      client_networks = [
+        module.landing-untrusted-vpc.self_link,
+        module.landing-trusted-vpc.self_link
+      ]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
diff --git a/fast/stages/2-networking-e-nva-bgp/dns-prod.tf b/fast/stages/2-networking-e-nva-bgp/dns-prod.tf
index 5627e4386..62cfab03c 100644
--- a/fast/stages/2-networking-e-nva-bgp/dns-prod.tf
+++ b/fast/stages/2-networking-e-nva-bgp/dns-prod.tf
@@ -19,12 +19,15 @@
 # GCP-specific environment zone
 
 module "prod-dns-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "private"
-  name            = "prod-gcp-example-com"
-  domain          = "prod.gcp.example.com."
-  client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-gcp-example-com"
+  zone_config = {
+    domain = "prod.gcp.example.com."
+    private = {
+      client_networks = [module.landing-trusted-vpc.self_link, module.landing-untrusted-vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
   }
@@ -38,13 +41,16 @@ moved {
 }
 
 module "prod-dns-peer-landing-root" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-root-dns-peering"
-  domain          = "."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-root-dns-peering"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
 
 moved {
@@ -53,11 +59,14 @@ moved {
 }
 
 module "prod-dns-peer-landing-rev-10" {
-  source          = "../../../modules/dns"
-  project_id      = module.prod-spoke-project.project_id
-  type            = "peering"
-  name            = "prod-reverse-10-dns-peering"
-  domain          = "10.in-addr.arpa."
-  client_networks = [module.prod-spoke-vpc.self_link]
-  peer_network    = module.landing-trusted-vpc.self_link
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "prod-reverse-10-dns-peering"
+  zone_config = {
+    domain = "10.in-addr.arpa."
+    peering = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+      peer_network    = module.landing-trusted-vpc.self_link
+    }
+  }
 }
diff --git a/modules/dns/README.md b/modules/dns/README.md
index 6b3b5607a..4e9a882f5 100644
--- a/modules/dns/README.md
+++ b/modules/dns/README.md
@@ -10,12 +10,15 @@ For DNSSEC configuration, refer to the [`dns_managed_zone` documentation](https:
 
 ```hcl
 module "private-dns" {
-  source          = "./fabric/modules/dns"
-  project_id      = "myproject"
-  type            = "private"
-  name            = "test-example"
-  domain          = "test.example."
-  client_networks = [var.vpc.self_link]
+  source     = "./fabric/modules/dns"
+  project_id = "myproject"
+  name       = "test-example"
+  zone_config = {
+    domain = "test.example."
+    private = {
+      client_networks = [var.vpc.self_link]
+    }
+  }
   recordsets = {
     "A localhost" = { records = ["127.0.0.1"] }
     "A myhost"    = { ttl = 600, records = ["10.0.0.120"] }
@@ -24,50 +27,58 @@ module "private-dns" {
     "roles/dns.admin" = ["group:dns-administrators@myorg.com"]
   }
 }
-# tftest modules=1 resources=4 inventory=private-zone.yaml
+# tftest modules=1 resources=5 inventory=private-zone.yaml
 ```
 
 ### Forwarding Zone
 
 ```hcl
 module "private-dns" {
-  source          = "./fabric/modules/dns"
-  project_id      = "myproject"
-  type            = "forwarding"
-  name            = "test-example"
-  domain          = "test.example."
-  client_networks = [var.vpc.self_link]
-  forwarders      = { "10.0.1.1" = null, "1.2.3.4" = "private" }
+  source     = "./fabric/modules/dns"
+  project_id = "myproject"
+  name       = "test-example"
+  zone_config = {
+    domain = "test.example."
+    forwarding = {
+      client_networks = [var.vpc.self_link]
+      forwarders      = { "10.0.1.1" = null, "1.2.3.4" = "private" }
+    }
+  }
 }
-# tftest modules=1 resources=1 inventory=forwarding-zone.yaml
+# tftest modules=1 resources=2 inventory=forwarding-zone.yaml
 ```
 
 ### Peering Zone
 
 ```hcl
 module "private-dns" {
-  source          = "./fabric/modules/dns"
-  project_id      = "myproject"
-  type            = "peering"
-  name            = "test-example"
-  domain          = "."
-  description     = "Forwarding zone for ."
-  client_networks = [var.vpc.self_link]
-  peer_network    = var.vpc2.self_link
+  source     = "./fabric/modules/dns"
+  project_id = "myproject"
+  name       = "test-example"
+  zone_config = {
+    domain = "."
+    peering = {
+      client_networks = [var.vpc.self_link]
+      peer_network    = var.vpc2.self_link
+    }
+  }
 }
-# tftest modules=1 resources=1 inventory=peering-zone.yaml
+# tftest modules=1 resources=2 inventory=peering-zone.yaml
 ```
 
 ### Routing Policies
 
 ```hcl
 module "private-dns" {
-  source          = "./fabric/modules/dns"
-  project_id      = "myproject"
-  type            = "private"
-  name            = "test-example"
-  domain          = "test.example."
-  client_networks = [var.vpc.self_link]
+  source     = "./fabric/modules/dns"
+  project_id = "myproject"
+  name       = "test-example"
+  zone_config = {
+    domain = "test.example."
+    private = {
+      client_networks = [var.vpc.self_link]
+    }
+  }
   recordsets = {
     "A regular" = { records = ["10.20.0.1"] }
     "A geo" = {
@@ -88,21 +99,24 @@ module "private-dns" {
     }
   }
 }
-# tftest modules=1 resources=4 inventory=routing-policies.yaml
+# tftest modules=1 resources=5 inventory=routing-policies.yaml
 ```
 
 ### Reverse Lookup Zone
 
 ```hcl
 module "private-dns" {
-  source          = "./fabric/modules/dns"
-  project_id      = "myproject"
-  type            = "reverse-managed"
-  name            = "test-example"
-  domain          = "0.0.10.in-addr.arpa."
-  client_networks = [var.vpc.self_link]
+  source     = "./fabric/modules/dns"
+  project_id = "myproject"
+  name       = "test-example"
+  zone_config = {
+    domain = "0.0.10.in-addr.arpa."
+    private = {
+      client_networks = [var.vpc.self_link]
+    }
+  }
 }
-# tftest modules=1 resources=1 inventory=reverse-zone.yaml
+# tftest modules=1 resources=2 inventory=reverse-zone.yaml
 ```
 
 ### Public Zone
@@ -111,9 +125,11 @@ module "private-dns" {
 module "public-dns" {
   source     = "./fabric/modules/dns"
   project_id = "myproject"
-  type       = "public"
   name       = "example"
-  domain     = "example.com."
+  zone_config = {
+    domain = "example.com."
+    public = {}
+  }
   recordsets = {
     "A myhost" = { ttl = 300, records = ["127.0.0.1"] }
   }
@@ -129,20 +145,12 @@ module "public-dns" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [domain](variables.tf#L54) | Zone domain, must end with a period. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L78) | Zone name, must be unique within the project. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L89) | Project id for the zone. | <code>string</code> | ✓ |  |
-| [client_networks](variables.tf#L21) | List of VPC self links that can see this zone. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [description](variables.tf#L28) | Domain description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
-| [dnssec_config](variables.tf#L34) | DNSSEC configuration for this zone. | <code title="object&#40;&#123;&#10;  non_existence &#61; optional&#40;string, &#34;nsec3&#34;&#41;&#10;  state         &#61; string&#10;  key_signing_key &#61; optional&#40;object&#40;&#10;    &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;    &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 2048 &#125;&#10;  &#41;&#10;  zone_signing_key &#61; optional&#40;object&#40;&#10;    &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;    &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 1024 &#125;&#10;  &#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  state &#61; &#34;off&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [enable_logging](variables.tf#L59) | Enable query logging for this zone. | <code>bool</code> |  | <code>false</code> |
-| [forwarders](variables.tf#L66) | Map of {IPV4_ADDRESS => FORWARDING_PATH} for 'forwarding' zone types. Path can be 'default', 'private', or null for provider default. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [iam](variables.tf#L72) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>null</code> |
-| [peer_network](variables.tf#L83) | Peering network self link, only valid for 'peering' zone types. | <code>string</code> |  | <code>null</code> |
-| [recordsets](variables.tf#L94) | Map of DNS recordsets in \"type name\" => {ttl, [records]} format. | <code title="map&#40;object&#40;&#123;&#10;  ttl     &#61; optional&#40;number, 300&#41;&#10;  records &#61; optional&#40;list&#40;string&#41;&#41;&#10;  geo_routing &#61; optional&#40;list&#40;object&#40;&#123;&#10;    location &#61; string&#10;    records  &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;  wrr_routing &#61; optional&#40;list&#40;object&#40;&#123;&#10;    weight  &#61; number&#10;    records &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_directory_namespace](variables.tf#L129) | Service directory namespace id (URL), only valid for 'service-directory' zone types. | <code>string</code> |  | <code>null</code> |
-| [type](variables.tf#L135) | Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory','reverse-managed'. | <code>string</code> |  | <code>&#34;private&#34;</code> |
-| [zone_create](variables.tf#L145) | Create zone. When set to false, uses a data source to reference existing zone. | <code>bool</code> |  | <code>true</code> |
+| [name](variables.tf#L33) | Zone name, must be unique within the project. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L38) | Project id for the zone. | <code>string</code> | ✓ |  |
+| [description](variables.tf#L21) | Domain description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
+| [iam](variables.tf#L27) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>null</code> |
+| [recordsets](variables.tf#L43) | Map of DNS recordsets in \"type name\" => {ttl, [records]} format. | <code title="map&#40;object&#40;&#123;&#10;  ttl     &#61; optional&#40;number, 300&#41;&#10;  records &#61; optional&#40;list&#40;string&#41;&#41;&#10;  geo_routing &#61; optional&#40;list&#40;object&#40;&#123;&#10;    location &#61; string&#10;    records  &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;  wrr_routing &#61; optional&#40;list&#40;object&#40;&#123;&#10;    weight  &#61; number&#10;    records &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [zone_config](variables.tf#L78) | DNS zone configuration. | <code title="object&#40;&#123;&#10;  domain         &#61; string&#10;  enable_logging &#61; optional&#40;bool, false&#41;&#10;  forwarding &#61; optional&#40;object&#40;&#123;&#10;    forwarders      &#61; optional&#40;map&#40;string&#41;&#41;&#10;    client_networks &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  peering &#61; optional&#40;object&#40;&#123;&#10;    client_networks &#61; list&#40;string&#41;&#10;    peer_network    &#61; string&#10;  &#125;&#41;&#41;&#10;  public &#61; optional&#40;object&#40;&#123;&#10;    dnssec_config &#61; optional&#40;object&#40;&#123;&#10;      non_existence &#61; optional&#40;string, &#34;nsec3&#34;&#41;&#10;      state         &#61; string&#10;      key_signing_key &#61; optional&#40;object&#40;&#10;        &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;        &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 2048 &#125;&#10;      &#41;&#10;      zone_signing_key &#61; optional&#40;object&#40;&#10;        &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;        &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 1024 &#125;&#10;      &#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  private &#61; optional&#40;object&#40;&#123;&#10;    client_networks             &#61; list&#40;string&#41;&#10;    service_directory_namespace &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
@@ -153,7 +161,6 @@ module "public-dns" {
 | [id](outputs.tf#L27) | Fully qualified zone id. |  |
 | [name](outputs.tf#L32) | The DNS zone name. |  |
 | [name_servers](outputs.tf#L37) | The DNS zone name servers. |  |
-| [type](outputs.tf#L42) | The DNS zone type. |  |
-| [zone](outputs.tf#L47) | DNS zone resource. |  |
+| [zone](outputs.tf#L42) | DNS zone resource. |  |
 
 <!-- END TFDOC -->
diff --git a/modules/dns/main.tf b/modules/dns/main.tf
index 217ccd441..d10b63199 100644
--- a/modules/dns/main.tf
+++ b/modules/dns/main.tf
@@ -15,77 +15,87 @@
  */
 
 locals {
+  managed_zone = (var.zone_config == null ?
+    data.google_dns_managed_zone.dns_managed_zone.0
+    : google_dns_managed_zone.dns_managed_zone.0
+  )
   # split record name and type and set as keys in a map
   _recordsets_0 = {
     for key, attrs in var.recordsets :
     key => merge(attrs, zipmap(["type", "name"], split(" ", key)))
   }
   # compute the final resource name for the recordset
-  _recordsets = {
+  recordsets = {
     for key, attrs in local._recordsets_0 :
     key => merge(attrs, {
       resource_name = (
         attrs.name == ""
-        ? var.domain
+        ? local.managed_zone.dns_name
         : (
           substr(attrs.name, -1, 1) == "."
           ? attrs.name
-          : "${attrs.name}.${var.domain}"
+          : "${attrs.name}.${local.managed_zone.dns_name}"
         )
       )
     })
   }
-  # split recordsets between regular, geo and wrr
-  geo_recordsets = {
-    for k, v in local._recordsets :
-    k => v
-    if v.geo_routing != null
-  }
-  regular_recordsets = {
-    for k, v in local._recordsets :
-    k => v
-    if v.records != null
-  }
-  wrr_recordsets = {
-    for k, v in local._recordsets :
-    k => v
-    if v.wrr_routing != null
-  }
-  zone = (
-    var.zone_create
-    ? try(
-      google_dns_managed_zone.non-public.0, try(
-        google_dns_managed_zone.public.0, null
-      )
-    )
-    : try(data.google_dns_managed_zone.public.0, null)
+  client_networks = concat(
+    coalesce(try(var.zone_config.forwarding.client_networks, null), []),
+    coalesce(try(var.zone_config.peering.client_networks, null), []),
+    coalesce(try(var.zone_config.private.client_networks, null), [])
   )
-  dns_keys = try(
-    data.google_dns_keys.dns_keys.0, null
+  visibility = (var.zone_config == null ?
+    null
+    : (var.zone_config.forwarding != null ||
+      var.zone_config.peering != null
+    || var.zone_config.private != null) ?
+    "private" :
+    "public"
   )
 }
 
-resource "google_dns_managed_zone" "non-public" {
-  count          = (var.zone_create && var.type != "public") ? 1 : 0
+resource "google_dns_managed_zone" "dns_managed_zone" {
+  count          = (var.zone_config == null) ? 0 : 1
   provider       = google-beta
   project        = var.project_id
   name           = var.name
-  dns_name       = var.domain
+  dns_name       = var.zone_config.domain
   description    = var.description
-  visibility     = "private"
-  reverse_lookup = (var.type == "reverse-managed")
+  visibility     = local.visibility
+  reverse_lookup = try(var.zone_config.private, null) != null && endswith(var.zone_config.domain, ".in-addr.arpa.")
+
+  dynamic "dnssec_config" {
+    for_each = try(var.zone_config.public.dnssec_config, null) == null ? [] : [""]
+    iterator = config
+    content {
+      kind          = "dns#managedZoneDnsSecConfig"
+      non_existence = var.zone_config.public.dnssec_config.non_existence
+      state         = var.zone_config.public.dnssec_config.state
+
+      default_key_specs {
+        algorithm  = var.zone_config.public.dnssec_config.key_signing_key.algorithm
+        key_length = var.zone_config.public.dnssec_config.key_signing_key.key_length
+        key_type   = "keySigning"
+        kind       = "dns#dnsKeySpec"
+      }
+
+      default_key_specs {
+        algorithm  = var.zone_config.public.dnssec_config.zone_signing_key.algorithm
+        key_length = var.zone_config.public.dnssec_config.zone_signing_key.key_length
+        key_type   = "zoneSigning"
+        kind       = "dns#dnsKeySpec"
+      }
+    }
+  }
 
   dynamic "forwarding_config" {
-    for_each = (
-      var.type == "forwarding" &&
-      var.forwarders != null &&
-      length(var.forwarders) > 0
+    for_each = (length(coalesce(try(var.zone_config.forwarding.forwarders, null), {})) > 0
       ? [""]
       : []
     )
     content {
       dynamic "target_name_servers" {
-        for_each = var.forwarders
+        for_each = var.zone_config.forwarding.forwarders
         iterator = forwarder
         content {
           ipv4_address    = forwarder.key
@@ -96,21 +106,19 @@ resource "google_dns_managed_zone" "non-public" {
   }
 
   dynamic "peering_config" {
-    for_each = (
-      var.type == "peering" && var.peer_network != null ? [""] : []
-    )
+    for_each = try(var.zone_config.peering.peer_network, null) == null ? [] : [""]
     content {
       target_network {
-        network_url = var.peer_network
+        network_url = var.zone_config.peering.peer_network
       }
     }
   }
 
   dynamic "private_visibility_config" {
-    for_each = length(var.client_networks) > 0 ? [""] : []
+    for_each = length(local.client_networks) > 0 ? [""] : []
     content {
       dynamic "networks" {
-        for_each = var.client_networks
+        for_each = local.client_networks
         iterator = network
         content {
           network_url = network.value
@@ -120,85 +128,41 @@ resource "google_dns_managed_zone" "non-public" {
   }
 
   dynamic "service_directory_config" {
-    for_each = (
-      var.type == "service-directory" && var.service_directory_namespace != null
-      ? [""]
-      : []
+    for_each = (try(var.zone_config.private.service_directory_namespace, null) == null
+      ? []
+      : [""]
     )
     content {
       namespace {
-        namespace_url = var.service_directory_namespace
+        namespace_url = var.zone_config.private.service_directory_namespace
       }
     }
   }
   cloud_logging_config {
-    enable_logging = var.enable_logging
+    enable_logging = try(var.zone_config.enable_logging, false)
   }
 }
 
-data "google_dns_managed_zone" "public" {
-  count   = var.zone_create ? 0 : 1
+data "google_dns_managed_zone" "dns_managed_zone" {
+  count   = var.zone_config == null ? 1 : 0
   project = var.project_id
   name    = var.name
 }
 
-resource "google_dns_managed_zone" "public" {
-  count       = (var.zone_create && var.type == "public") ? 1 : 0
-  project     = var.project_id
-  name        = var.name
-  dns_name    = var.domain
-  description = var.description
-  visibility  = "public"
-
-  dynamic "dnssec_config" {
-    for_each = var.dnssec_config == null ? [] : [1]
-    iterator = config
-    content {
-      kind          = "dns#managedZoneDnsSecConfig"
-      non_existence = var.dnssec_config.non_existence
-      state         = var.dnssec_config.state
-
-      default_key_specs {
-        algorithm  = var.dnssec_config.key_signing_key.algorithm
-        key_length = var.dnssec_config.key_signing_key.key_length
-        key_type   = "keySigning"
-        kind       = "dns#dnsKeySpec"
-      }
-
-      default_key_specs {
-        algorithm  = var.dnssec_config.zone_signing_key.algorithm
-        key_length = var.dnssec_config.zone_signing_key.key_length
-        key_type   = "zoneSigning"
-        kind       = "dns#dnsKeySpec"
-      }
-    }
-  }
-  cloud_logging_config {
-    enable_logging = var.enable_logging
-  }
-}
-
 resource "google_dns_managed_zone_iam_binding" "iam_bindings" {
-  for_each = coalesce(var.iam, {})
-  project  = var.project_id
-  managed_zone = (var.type == "public"
-    ? google_dns_managed_zone.public[0].name
-  : google_dns_managed_zone.non-public[0].name)
-  role    = each.key
-  members = each.value
+  for_each     = coalesce(var.iam, {})
+  project      = var.project_id
+  managed_zone = local.managed_zone.id
+  role         = each.key
+  members      = each.value
 }
 
 data "google_dns_keys" "dns_keys" {
-  count        = var.zone_create && (var.dnssec_config == {} || var.type != "public") ? 0 : 1
-  managed_zone = local.zone.id
+  managed_zone = local.managed_zone.id
 }
 
-resource "google_dns_record_set" "cloud-static-records" {
-  for_each = (
-    var.type == "public" || var.type == "private"
-    ? local.regular_recordsets
-    : {}
-  )
+resource "google_dns_record_set" "dns_record_set" {
+  for_each     = local.recordsets
   project      = var.project_id
   managed_zone = var.name
   name         = each.value.resource_name
@@ -206,63 +170,27 @@ resource "google_dns_record_set" "cloud-static-records" {
   ttl          = each.value.ttl
   rrdatas      = each.value.records
 
-  depends_on = [
-    google_dns_managed_zone.non-public, google_dns_managed_zone.public
-  ]
-}
-
-resource "google_dns_record_set" "cloud-geo-records" {
-  for_each = (
-    var.type == "public" || var.type == "private"
-    ? local.geo_recordsets
-    : {}
-  )
-  project      = var.project_id
-  managed_zone = var.name
-  name         = each.value.resource_name
-  type         = each.value.type
-  ttl          = each.value.ttl
-
-  routing_policy {
-    dynamic "geo" {
-      for_each = each.value.geo_routing
-      iterator = policy
-      content {
-        location = policy.value.location
-        rrdatas  = policy.value.records
+  dynamic "routing_policy" {
+    for_each = (each.value.geo_routing != null || each.value.wrr_routing != null) ? [""] : []
+    content {
+      dynamic "geo" {
+        for_each = coalesce(each.value.geo_routing, [])
+        content {
+          location = geo.value.location
+          rrdatas  = geo.value.records
+        }
+      }
+      dynamic "wrr" {
+        for_each = coalesce(each.value.wrr_routing, [])
+        content {
+          weight  = wrr.value.weight
+          rrdatas = wrr.value.records
+        }
       }
     }
   }
 
   depends_on = [
-    google_dns_managed_zone.non-public, google_dns_managed_zone.public
+    google_dns_managed_zone.dns_managed_zone
   ]
-}
-
-resource "google_dns_record_set" "cloud-wrr-records" {
-  for_each = (
-    var.type == "public" || var.type == "private"
-    ? local.wrr_recordsets
-    : {}
-  )
-  project      = var.project_id
-  managed_zone = var.name
-  name         = each.value.resource_name
-  type         = each.value.type
-  ttl          = each.value.ttl
-
-  routing_policy {
-    dynamic "wrr" {
-      for_each = each.value.wrr_routing
-      iterator = policy
-      content {
-        weight  = policy.value.weight
-        rrdatas = policy.value.records
-      }
-    }
-  }
-
-  depends_on = [
-    google_dns_managed_zone.non-public, google_dns_managed_zone.public
-  ]
-}
+}
\ No newline at end of file
diff --git a/modules/dns/outputs.tf b/modules/dns/outputs.tf
index ba87aea44..f8297d8be 100644
--- a/modules/dns/outputs.tf
+++ b/modules/dns/outputs.tf
@@ -16,35 +16,30 @@
 
 output "dns_keys" {
   description = "DNSKEY and DS records of DNSSEC-signed managed zones."
-  value       = local.dns_keys
+  value       = data.google_dns_keys.dns_keys
 }
 
 output "domain" {
   description = "The DNS zone domain."
-  value       = try(local.zone.dns_name, null)
+  value       = local.managed_zone.dns_name
 }
 
 output "id" {
   description = "Fully qualified zone id."
-  value       = try(local.zone.id, null)
+  value       = local.managed_zone.id
 }
 
 output "name" {
   description = "The DNS zone name."
-  value       = try(local.zone.name, null)
+  value       = local.managed_zone.name
 }
 
 output "name_servers" {
   description = "The DNS zone name servers."
-  value       = try(local.zone.name_servers, null)
-}
-
-output "type" {
-  description = "The DNS zone type."
-  value       = var.type
+  value       = local.managed_zone.name_servers
 }
 
 output "zone" {
   description = "DNS zone resource."
-  value       = local.zone
+  value       = local.managed_zone
 }
diff --git a/modules/dns/variables.tf b/modules/dns/variables.tf
index 18a4187ee..1a9acf02c 100644
--- a/modules/dns/variables.tf
+++ b/modules/dns/variables.tf
@@ -18,57 +18,12 @@
 #                                zone variables                               #
 ###############################################################################
 
-variable "client_networks" {
-  description = "List of VPC self links that can see this zone."
-  type        = list(string)
-  default     = []
-  nullable    = false
-}
-
 variable "description" {
   description = "Domain description."
   type        = string
   default     = "Terraform managed."
 }
 
-variable "dnssec_config" {
-  description = "DNSSEC configuration for this zone."
-  type = object({
-    non_existence = optional(string, "nsec3")
-    state         = string
-    key_signing_key = optional(object(
-      { algorithm = string, key_length = number }),
-      { algorithm = "rsasha256", key_length = 2048 }
-    )
-    zone_signing_key = optional(object(
-      { algorithm = string, key_length = number }),
-      { algorithm = "rsasha256", key_length = 1024 }
-    )
-  })
-  default = {
-    state = "off"
-  }
-  nullable = false
-}
-
-variable "domain" {
-  description = "Zone domain, must end with a period."
-  type        = string
-}
-
-variable "enable_logging" {
-  description = "Enable query logging for this zone."
-  type        = bool
-  default     = false
-  nullable    = false
-}
-
-variable "forwarders" {
-  description = "Map of {IPV4_ADDRESS => FORWARDING_PATH} for 'forwarding' zone types. Path can be 'default', 'private', or null for provider default."
-  type        = map(string)
-  default     = {}
-}
-
 variable "iam" {
   description = "IAM bindings in {ROLE => [MEMBERS]} format."
   type        = map(list(string))
@@ -80,12 +35,6 @@ variable "name" {
   type        = string
 }
 
-variable "peer_network" {
-  description = "Peering network self link, only valid for 'peering' zone types."
-  type        = string
-  default     = null
-}
-
 variable "project_id" {
   description = "Project id for the zone."
   type        = string
@@ -126,27 +75,48 @@ variable "recordsets" {
   }
 }
 
-variable "service_directory_namespace" {
-  description = "Service directory namespace id (URL), only valid for 'service-directory' zone types."
-  type        = string
-  default     = null
-}
-
-variable "type" {
-  description = "Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory','reverse-managed'."
-  type        = string
-  default     = "private"
+variable "zone_config" {
+  description = "DNS zone configuration."
+  type = object({
+    domain         = string
+    enable_logging = optional(bool, false)
+    forwarding = optional(object({
+      forwarders      = optional(map(string))
+      client_networks = list(string)
+    }))
+    peering = optional(object({
+      client_networks = list(string)
+      peer_network    = string
+    }))
+    public = optional(object({
+      dnssec_config = optional(object({
+        non_existence = optional(string, "nsec3")
+        state         = string
+        key_signing_key = optional(object(
+          { algorithm = string, key_length = number }),
+          { algorithm = "rsasha256", key_length = 2048 }
+        )
+        zone_signing_key = optional(object(
+          { algorithm = string, key_length = number }),
+          { algorithm = "rsasha256", key_length = 1024 }
+        )
+      }))
+    }))
+    private = optional(object({
+      client_networks             = list(string)
+      service_directory_namespace = optional(string)
+    }))
+  })
   validation {
-    condition     = contains(["public", "private", "forwarding", "peering", "service-directory", "reverse-managed"], var.type)
-    error_message = "Zone must be one of 'public', 'private', 'forwarding', 'peering', 'service-directory','reverse-managed'."
+    condition = (
+      (try(var.zone_config.forwarding, null) == null ? 0 : 1) +
+      (try(var.zone_config.peering, null) == null ? 0 : 1) +
+      (try(var.zone_config.public, null) == null ? 0 : 1) +
+      (try(var.zone_config.private, null) == null ? 0 : 1) <= 1
+    )
+    error_message = "Only one type of zone can be configured at a time."
   }
-}
-
-variable "zone_create" {
-  description = "Create zone. When set to false, uses a data source to reference existing zone."
-  type        = bool
-  default     = true
+  default = null
 }
 
 
-
diff --git a/modules/service-directory/README.md b/modules/service-directory/README.md
index ee8323e48..d79c53043 100644
--- a/modules/service-directory/README.md
+++ b/modules/service-directory/README.md
@@ -77,15 +77,18 @@ module "service-directory" {
 }
 
 module "dns-sd" {
-  source                      = "./fabric/modules/dns"
-  project_id                  = "my-project"
-  type                        = "service-directory"
-  name                        = "apps"
-  domain                      = "apps.example.org."
-  client_networks             = [var.vpc.self_link]
-  service_directory_namespace = module.service-directory.id
+  source     = "./fabric/modules/dns"
+  project_id = "my-project"
+  name       = "apps"
+  zone_config = {
+    domain = "apps.example.org."
+    private = {
+      client_networks             = [var.vpc.self_link]
+      service_directory_namespace = module.service-directory.id
+    }
+  }
 }
-# tftest modules=2 resources=5 inventory=dns.yaml
+# tftest modules=2 resources=6 inventory=dns.yaml
 ```
 <!-- BEGIN TFDOC -->
 
diff --git a/tests/blueprints/factories/project_factory/examples/example.yaml b/tests/blueprints/factories/project_factory/examples/example.yaml
index f8396ef1d..ee4a1b489 100644
--- a/tests/blueprints/factories/project_factory/examples/example.yaml
+++ b/tests/blueprints/factories/project_factory/examples/example.yaml
@@ -65,7 +65,7 @@ values:
     project: test1-project
     sensitive_labels: []
     type: email
-  module.projects["project"].module.dns["ipsum"].google_dns_managed_zone.non-public[0]:
+  module.projects["project"].module.dns["ipsum"].google_dns_managed_zone.dns_managed_zone[0]:
     dns_name: ipsum.dev.example.org
     name: ipsum
     private_visibility_config:
@@ -74,7 +74,7 @@ values:
       - network_url: projects/foo/networks/bar
     project: fast-dev-net-spoke-0
     visibility: private
-  module.projects["project"].module.dns["lorem"].google_dns_managed_zone.non-public[0]:
+  module.projects["project"].module.dns["lorem"].google_dns_managed_zone.dns_managed_zone[0]:
     dns_name: lorem.dev.example.org
     name: lorem
     private_visibility_config:
diff --git a/tests/fast/stages/s2_networking_a_peering/stage.yaml b/tests/fast/stages/s2_networking_a_peering/stage.yaml
index ae14f3cf4..9a16a6b44 100644
--- a/tests/fast/stages/s2_networking_a_peering/stage.yaml
+++ b/tests/fast/stages/s2_networking_a_peering/stage.yaml
@@ -14,4 +14,4 @@
 
 counts:
   modules: 27
-  resources: 142
+  resources: 151
diff --git a/tests/fast/stages/s2_networking_b_vpn/stage.yaml b/tests/fast/stages/s2_networking_b_vpn/stage.yaml
index 1d0b86ef9..70c5c30ae 100644
--- a/tests/fast/stages/s2_networking_b_vpn/stage.yaml
+++ b/tests/fast/stages/s2_networking_b_vpn/stage.yaml
@@ -14,4 +14,4 @@
 
 counts:
   modules: 29
-  resources: 179
+  resources: 188
diff --git a/tests/fast/stages/s2_networking_c_nva/stage.yaml b/tests/fast/stages/s2_networking_c_nva/stage.yaml
index a17963260..e2d1aaf6f 100644
--- a/tests/fast/stages/s2_networking_c_nva/stage.yaml
+++ b/tests/fast/stages/s2_networking_c_nva/stage.yaml
@@ -14,4 +14,4 @@
 
 counts:
   modules: 41
-  resources: 188
+  resources: 197
diff --git a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
index a11e2d06e..4b24b4128 100644
--- a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
+++ b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
@@ -14,4 +14,4 @@
 
 counts:
   modules: 20
-  resources: 162
+  resources: 168
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
index 7e911d036..ffde4a399 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
@@ -14,4 +14,4 @@
 
 counts:
   modules: 35
-  resources: 201
+  resources: 210
diff --git a/tests/modules/dns/examples/forwarding-zone.yaml b/tests/modules/dns/examples/forwarding-zone.yaml
index 4a09114ee..fc1bc2c8e 100644
--- a/tests/modules/dns/examples/forwarding-zone.yaml
+++ b/tests/modules/dns/examples/forwarding-zone.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  module.private-dns.google_dns_managed_zone.non-public[0]:
+  module.private-dns.google_dns_managed_zone.dns_managed_zone[0]:
     dns_name: test.example.
     forwarding_config:
     - target_name_servers:
diff --git a/tests/modules/dns/examples/peering-zone.yaml b/tests/modules/dns/examples/peering-zone.yaml
index 9f16adab6..ea3996ed0 100644
--- a/tests/modules/dns/examples/peering-zone.yaml
+++ b/tests/modules/dns/examples/peering-zone.yaml
@@ -13,8 +13,8 @@
 # limitations under the License.
 
 values:
-  module.private-dns.google_dns_managed_zone.non-public[0]:
-    description: Forwarding zone for .
+  module.private-dns.google_dns_managed_zone.dns_managed_zone[0]:
+    description: Terraform managed.
     dns_name: .
     forwarding_config: []
     name: test-example
diff --git a/tests/modules/dns/examples/private-zone.yaml b/tests/modules/dns/examples/private-zone.yaml
index c82f97923..30e59c9f3 100644
--- a/tests/modules/dns/examples/private-zone.yaml
+++ b/tests/modules/dns/examples/private-zone.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  module.private-dns.google_dns_managed_zone.non-public[0]:
+  module.private-dns.google_dns_managed_zone.dns_managed_zone[0]:
     description: Terraform managed.
     dns_name: test.example.
     force_destroy: false
@@ -26,7 +26,7 @@ values:
       - network_url: projects/xxx/global/networks/aaa
     project: myproject
     visibility: private
-  module.private-dns.google_dns_record_set.cloud-static-records["A localhost"]:
+  module.private-dns.google_dns_record_set.dns_record_set["A localhost"]:
     managed_zone: test-example
     name: localhost.test.example.
     project: myproject
@@ -35,7 +35,7 @@ values:
     - 127.0.0.1
     ttl: 300
     type: A
-  module.private-dns.google_dns_record_set.cloud-static-records["A myhost"]:
+  module.private-dns.google_dns_record_set.dns_record_set["A myhost"]:
     managed_zone: test-example
     name: myhost.test.example.
     project: myproject
diff --git a/tests/modules/dns/examples/public-zone.yaml b/tests/modules/dns/examples/public-zone.yaml
index 904d347e8..69f275998 100644
--- a/tests/modules/dns/examples/public-zone.yaml
+++ b/tests/modules/dns/examples/public-zone.yaml
@@ -13,12 +13,12 @@
 # limitations under the License.
 
 values:
-  module.public-dns.google_dns_managed_zone.public[0]:
+  module.public-dns.google_dns_managed_zone.dns_managed_zone[0]:
     dns_name: example.com.
     name: example
     project: myproject
     visibility: public
-  module.public-dns.google_dns_record_set.cloud-static-records["A myhost"]:
+  module.public-dns.google_dns_record_set.dns_record_set["A myhost"]:
     managed_zone: example
     name: myhost.example.com.
     project: myproject
diff --git a/tests/modules/dns/examples/reverse-zone.yaml b/tests/modules/dns/examples/reverse-zone.yaml
index 17e76a12c..9798ced98 100644
--- a/tests/modules/dns/examples/reverse-zone.yaml
+++ b/tests/modules/dns/examples/reverse-zone.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  module.private-dns.google_dns_managed_zone.non-public[0]:
+  module.private-dns.google_dns_managed_zone.dns_managed_zone[0]:
     description: Terraform managed.
     dns_name: 0.0.10.in-addr.arpa.
     name: test-example
diff --git a/tests/modules/dns/examples/routing-policies.yaml b/tests/modules/dns/examples/routing-policies.yaml
index 45b19276c..e5315bb74 100644
--- a/tests/modules/dns/examples/routing-policies.yaml
+++ b/tests/modules/dns/examples/routing-policies.yaml
@@ -13,11 +13,11 @@
 # limitations under the License.
 
 values:
-  module.private-dns.google_dns_managed_zone.non-public[0]:
+  module.private-dns.google_dns_managed_zone.dns_managed_zone[0]:
     dns_name: test.example.
     name: test-example
     project: myproject
-  module.private-dns.google_dns_record_set.cloud-geo-records["A geo"]:
+  module.private-dns.google_dns_record_set.dns_record_set["A geo"]:
     managed_zone: test-example
     name: geo.test.example.
     project: myproject
@@ -41,7 +41,7 @@ values:
     rrdatas: null
     ttl: 300
     type: A
-  module.private-dns.google_dns_record_set.cloud-static-records["A regular"]:
+  module.private-dns.google_dns_record_set.dns_record_set["A regular"]:
     managed_zone: test-example
     name: regular.test.example.
     project: myproject
@@ -50,7 +50,7 @@ values:
     - 10.20.0.1
     ttl: 300
     type: A
-  module.private-dns.google_dns_record_set.cloud-wrr-records["A wrr"]:
+  module.private-dns.google_dns_record_set.dns_record_set["A wrr"]:
     managed_zone: test-example
     name: wrr.test.example.
     project: myproject
diff --git a/tests/modules/dns/no_clients.tfvars b/tests/modules/dns/no_clients.tfvars
deleted file mode 100644
index 97b722734..000000000
--- a/tests/modules/dns/no_clients.tfvars
+++ /dev/null
@@ -1,5 +0,0 @@
-type            = "private"
-domain          = "test.example."
-name            = "test"
-project_id      = "my-project"
-client_networks = []
diff --git a/tests/modules/dns/no_clients.yaml b/tests/modules/dns/no_clients.yaml
deleted file mode 100644
index 42f628c9c..000000000
--- a/tests/modules/dns/no_clients.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  google_dns_managed_zone.non-public[0]:
-    dns_name: test.example.
-    name: test
-    private_visibility_config: []
-    visibility: private
-
-counts:
-  google_dns_managed_zone: 1
-  modules: 0
-  resources: 1
diff --git a/tests/modules/dns/null_forwarders.tfvars b/tests/modules/dns/null_forwarders.tfvars
deleted file mode 100644
index 4514d6395..000000000
--- a/tests/modules/dns/null_forwarders.tfvars
+++ /dev/null
@@ -1,4 +0,0 @@
-type       = "forwarding"
-domain     = "test.example."
-name       = "test"
-project_id = "my-project"
diff --git a/tests/modules/dns/null_forwarders.yaml b/tests/modules/dns/null_forwarders.yaml
deleted file mode 100644
index bbe637fc2..000000000
--- a/tests/modules/dns/null_forwarders.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  google_dns_managed_zone.non-public[0]:
-    forwarding_config: []
-
-counts:
-  google_dns_managed_zone: 1
diff --git a/tests/modules/dns/tftest.yaml b/tests/modules/dns/tftest.yaml
deleted file mode 100644
index 5172a013b..000000000
--- a/tests/modules/dns/tftest.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-module: modules/dns
-
-tests:
-  no_clients:
-  null_forwarders:
diff --git a/tests/modules/service_directory/examples/dns.yaml b/tests/modules/service_directory/examples/dns.yaml
index 57d49fbb3..42ace7074 100644
--- a/tests/modules/service_directory/examples/dns.yaml
+++ b/tests/modules/service_directory/examples/dns.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 values:
-  module.dns-sd.google_dns_managed_zone.non-public[0]:
+  module.dns-sd.google_dns_managed_zone.dns_managed_zone[0]:
     dns_name: apps.example.org.
     visibility: private
   module.service-directory.google_service_directory_endpoint.default["app1/one"]: