From f22d783cf79640e0de9c298d577c68cb32f01c44 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 13 Feb 2025 17:08:27 +0100 Subject: [PATCH] Address DNS issues with googleapis RPZ and forwarding (#2891) * add empty DNS zone for googleapis to net stages * add ipv6 records for private/restricted * avoid permadiff in rpz ipv6 addresses --- .../data/dns-policy-rules.yaml | 6 ++++++ fast/stages/2-networking-a-simple/dns-landing.tf | 13 +++++++++++++ .../2-networking-b-nva/data/dns-policy-rules.yaml | 6 ++++++ fast/stages/2-networking-b-nva/dns-landing.tf | 13 +++++++++++++ .../data/dns-policy-rules.yaml | 6 ++++++ fast/stages/2-networking-c-separate-envs/dns-dev.tf | 13 +++++++++++++ .../stages/2-networking-c-separate-envs/dns-prod.tf | 13 +++++++++++++ tests/fast/stages/s2_networking_a_simple/ncc.yaml | 6 +++--- .../fast/stages/s2_networking_a_simple/simple.yaml | 6 +++--- tests/fast/stages/s2_networking_a_simple/vpn.yaml | 6 +++--- tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml | 6 +++--- tests/fast/stages/s2_networking_b_nva/regional.yaml | 6 +++--- tests/fast/stages/s2_networking_b_nva/simple.yaml | 6 +++--- .../s2_networking_c_separate_envs/simple.yaml | 6 +++--- 14 files changed, 91 insertions(+), 21 deletions(-) diff --git a/fast/stages/2-networking-a-simple/data/dns-policy-rules.yaml b/fast/stages/2-networking-a-simple/data/dns-policy-rules.yaml index 66ec9caf1..4539b249a 100644 --- a/fast/stages/2-networking-a-simple/data/dns-policy-rules.yaml +++ b/fast/stages/2-networking-a-simple/data/dns-policy-rules.yaml @@ -79,6 +79,9 @@ googleapis-private: - 199.36.153.9 - 199.36.153.10 - 199.36.153.11 + AAAA: + rrdatas: + - "2600:2d00:2:2000::" googleapis-restricted: dns_name: "restricted.googleapis.com." local_data: @@ -88,6 +91,9 @@ googleapis-restricted: - 199.36.153.5 - 199.36.153.6 - 199.36.153.7 + AAAA: + rrdatas: + - "2600:2d00:2:1000::" gstatic-all: dns_name: "*.gstatic.com." local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } diff --git a/fast/stages/2-networking-a-simple/dns-landing.tf b/fast/stages/2-networking-a-simple/dns-landing.tf index f20ac2387..13ccf6038 100644 --- a/fast/stages/2-networking-a-simple/dns-landing.tf +++ b/fast/stages/2-networking-a-simple/dns-landing.tf @@ -62,6 +62,19 @@ module "landing-dns-priv-gcp" { } # Google APIs via response policies +# the zone fixes issues with missing MX/SRV records when forwarding onprem + +module "landing-dns-priv-googleapis" { + source = "../../../modules/dns" + project_id = module.landing-project.project_id + name = "googleapis-com" + zone_config = { + domain = "googleapis.com." + private = { + client_networks = [module.landing-vpc.self_link] + } + } +} module "landing-dns-policy-googleapis" { source = "../../../modules/dns-response-policy" diff --git a/fast/stages/2-networking-b-nva/data/dns-policy-rules.yaml b/fast/stages/2-networking-b-nva/data/dns-policy-rules.yaml index 66ec9caf1..4539b249a 100644 --- a/fast/stages/2-networking-b-nva/data/dns-policy-rules.yaml +++ b/fast/stages/2-networking-b-nva/data/dns-policy-rules.yaml @@ -79,6 +79,9 @@ googleapis-private: - 199.36.153.9 - 199.36.153.10 - 199.36.153.11 + AAAA: + rrdatas: + - "2600:2d00:2:2000::" googleapis-restricted: dns_name: "restricted.googleapis.com." local_data: @@ -88,6 +91,9 @@ googleapis-restricted: - 199.36.153.5 - 199.36.153.6 - 199.36.153.7 + AAAA: + rrdatas: + - "2600:2d00:2:1000::" gstatic-all: dns_name: "*.gstatic.com." local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } diff --git a/fast/stages/2-networking-b-nva/dns-landing.tf b/fast/stages/2-networking-b-nva/dns-landing.tf index 415a96ceb..294442eac 100644 --- a/fast/stages/2-networking-b-nva/dns-landing.tf +++ b/fast/stages/2-networking-b-nva/dns-landing.tf @@ -92,6 +92,19 @@ module "landing-dns-priv-gcp" { } # Google APIs via response policies +# the zone fixes issues with missing MX/SRV records when forwarding onprem + +module "landing-dns-priv-googleapis" { + source = "../../../modules/dns" + project_id = module.landing-project.project_id + name = "googleapis-com" + zone_config = { + domain = "googleapis.com." + private = { + client_networks = [module.landing-vpc.self_link] + } + } +} module "landing-dns-policy-googleapis" { source = "../../../modules/dns-response-policy" diff --git a/fast/stages/2-networking-c-separate-envs/data/dns-policy-rules.yaml b/fast/stages/2-networking-c-separate-envs/data/dns-policy-rules.yaml index 66ec9caf1..4539b249a 100644 --- a/fast/stages/2-networking-c-separate-envs/data/dns-policy-rules.yaml +++ b/fast/stages/2-networking-c-separate-envs/data/dns-policy-rules.yaml @@ -79,6 +79,9 @@ googleapis-private: - 199.36.153.9 - 199.36.153.10 - 199.36.153.11 + AAAA: + rrdatas: + - "2600:2d00:2:2000::" googleapis-restricted: dns_name: "restricted.googleapis.com." local_data: @@ -88,6 +91,9 @@ googleapis-restricted: - 199.36.153.5 - 199.36.153.6 - 199.36.153.7 + AAAA: + rrdatas: + - "2600:2d00:2:1000::" gstatic-all: dns_name: "*.gstatic.com." local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } } diff --git a/fast/stages/2-networking-c-separate-envs/dns-dev.tf b/fast/stages/2-networking-c-separate-envs/dns-dev.tf index e29dc861e..683d5b4a4 100644 --- a/fast/stages/2-networking-c-separate-envs/dns-dev.tf +++ b/fast/stages/2-networking-c-separate-envs/dns-dev.tf @@ -62,6 +62,19 @@ module "dev-dns-fwd-onprem-rev-10" { } # Google APIs +# the zone fixes issues with missing MX/SRV records when forwarding onprem + +module "dev-dns-priv-googleapis" { + source = "../../../modules/dns" + project_id = module.dev-spoke-project.project_id + name = "googleapis-com" + zone_config = { + domain = "googleapis.com." + private = { + client_networks = [module.dev-spoke-vpc.self_link] + } + } +} module "dev-dns-policy-googleapis" { source = "../../../modules/dns-response-policy" diff --git a/fast/stages/2-networking-c-separate-envs/dns-prod.tf b/fast/stages/2-networking-c-separate-envs/dns-prod.tf index 7234c6e26..6a508604c 100644 --- a/fast/stages/2-networking-c-separate-envs/dns-prod.tf +++ b/fast/stages/2-networking-c-separate-envs/dns-prod.tf @@ -62,6 +62,19 @@ module "prod-dns-fwd-onprem-rev-10" { } # Google APIs +# the zone fixes issues with missing MX/SRV records when forwarding onprem + +module "prod-dns-priv-googleapis" { + source = "../../../modules/dns" + project_id = module.prod-spoke-project.project_id + name = "googleapis-com" + zone_config = { + domain = "googleapis.com." + private = { + client_networks = [module.prod-spoke-vpc.self_link] + } + } +} module "prod-dns-policy-googleapis" { source = "../../../modules/dns-response-policy" diff --git a/tests/fast/stages/s2_networking_a_simple/ncc.yaml b/tests/fast/stages/s2_networking_a_simple/ncc.yaml index 36d2c9c8b..848212bea 100644 --- a/tests/fast/stages/s2_networking_a_simple/ncc.yaml +++ b/tests/fast/stages/s2_networking_a_simple/ncc.yaml @@ -23,7 +23,7 @@ counts: google_compute_router_nat: 2 google_compute_shared_vpc_host_project: 3 google_compute_subnetwork: 5 - google_dns_managed_zone: 9 + google_dns_managed_zone: 10 google_dns_policy: 3 google_dns_record_set: 3 google_dns_response_policy: 1 @@ -41,5 +41,5 @@ counts: google_project_service_identity: 20 google_storage_bucket_object: 1 google_tags_tag_binding: 3 - modules: 22 - resources: 175 + modules: 23 + resources: 176 diff --git a/tests/fast/stages/s2_networking_a_simple/simple.yaml b/tests/fast/stages/s2_networking_a_simple/simple.yaml index 20b2edaf7..30d1f8768 100644 --- a/tests/fast/stages/s2_networking_a_simple/simple.yaml +++ b/tests/fast/stages/s2_networking_a_simple/simple.yaml @@ -29,7 +29,7 @@ counts: google_compute_shared_vpc_host_project: 3 google_compute_subnetwork: 5 google_compute_vpn_tunnel: 2 - google_dns_managed_zone: 9 + google_dns_managed_zone: 10 google_dns_policy: 3 google_dns_record_set: 3 google_dns_response_policy: 1 @@ -45,6 +45,6 @@ counts: google_project_service_identity: 20 google_storage_bucket_object: 1 google_tags_tag_binding: 3 - modules: 27 + modules: 28 random_id: 3 - resources: 192 + resources: 193 diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.yaml b/tests/fast/stages/s2_networking_a_simple/vpn.yaml index f6609d003..485ada9dc 100644 --- a/tests/fast/stages/s2_networking_a_simple/vpn.yaml +++ b/tests/fast/stages/s2_networking_a_simple/vpn.yaml @@ -27,7 +27,7 @@ counts: google_compute_shared_vpc_host_project: 3 google_compute_subnetwork: 5 google_compute_vpn_tunnel: 12 - google_dns_managed_zone: 9 + google_dns_managed_zone: 10 google_dns_policy: 3 google_dns_record_set: 3 google_dns_response_policy: 1 @@ -43,6 +43,6 @@ counts: google_project_service_identity: 20 google_storage_bucket_object: 1 google_tags_tag_binding: 3 - modules: 29 + modules: 30 random_id: 17 - resources: 239 + resources: 240 diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml index 054ff476c..9be19b7a6 100644 --- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml +++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml @@ -30,7 +30,7 @@ counts: google_compute_shared_vpc_host_project: 3 google_compute_subnetwork: 10 google_compute_vpn_tunnel: 4 - google_dns_managed_zone: 9 + google_dns_managed_zone: 10 google_dns_policy: 4 google_dns_record_set: 3 google_dns_response_policy: 1 @@ -48,6 +48,6 @@ counts: google_project_service_identity: 19 google_storage_bucket_object: 1 google_tags_tag_binding: 3 - modules: 37 + modules: 38 random_id: 6 - resources: 256 + resources: 257 diff --git a/tests/fast/stages/s2_networking_b_nva/regional.yaml b/tests/fast/stages/s2_networking_b_nva/regional.yaml index d3c76f0fd..2ee3c8442 100644 --- a/tests/fast/stages/s2_networking_b_nva/regional.yaml +++ b/tests/fast/stages/s2_networking_b_nva/regional.yaml @@ -34,7 +34,7 @@ counts: google_compute_shared_vpc_host_project: 3 google_compute_subnetwork: 12 google_compute_vpn_tunnel: 4 - google_dns_managed_zone: 9 + google_dns_managed_zone: 10 google_dns_policy: 6 google_dns_record_set: 3 google_dns_response_policy: 1 @@ -50,6 +50,6 @@ counts: google_project_service_identity: 19 google_storage_bucket_object: 1 google_tags_tag_binding: 3 - modules: 45 + modules: 46 random_id: 6 - resources: 264 + resources: 265 diff --git a/tests/fast/stages/s2_networking_b_nva/simple.yaml b/tests/fast/stages/s2_networking_b_nva/simple.yaml index bb1699354..b9a095e68 100644 --- a/tests/fast/stages/s2_networking_b_nva/simple.yaml +++ b/tests/fast/stages/s2_networking_b_nva/simple.yaml @@ -34,7 +34,7 @@ counts: google_compute_shared_vpc_host_project: 3 google_compute_subnetwork: 10 google_compute_vpn_tunnel: 4 - google_dns_managed_zone: 9 + google_dns_managed_zone: 10 google_dns_policy: 4 google_dns_record_set: 3 google_dns_response_policy: 1 @@ -50,6 +50,6 @@ counts: google_project_service_identity: 19 google_storage_bucket_object: 1 google_tags_tag_binding: 3 - modules: 41 + modules: 42 random_id: 6 - resources: 242 + resources: 243 diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml index 5bcfe8b27..4a71acaee 100644 --- a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml +++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml @@ -28,7 +28,7 @@ counts: google_compute_shared_vpc_host_project: 2 google_compute_subnetwork: 4 google_compute_vpn_tunnel: 4 - google_dns_managed_zone: 6 + google_dns_managed_zone: 8 google_dns_policy: 2 google_dns_record_set: 2 google_dns_response_policy: 2 @@ -43,6 +43,6 @@ counts: google_project_service_identity: 16 google_storage_bucket_object: 1 google_tags_tag_binding: 2 - modules: 20 + modules: 22 random_id: 6 - resources: 212 + resources: 214