Address DNS issues with googleapis RPZ and forwarding (#2891)

* add empty DNS zone for googleapis to net stages

* add ipv6 records for private/restricted

* avoid permadiff in rpz ipv6 addresses

fast/stages/2-networking-a-simple/data/dns-policy-rules.yaml

@@ -79,6 +79,9 @@ googleapis-private:
         - 199.36.153.9
         - 199.36.153.10
         - 199.36.153.11
+    AAAA:
+      rrdatas:
+        - "2600:2d00:2:2000::"
 googleapis-restricted:
   dns_name: "restricted.googleapis.com."
   local_data:
@@ -88,6 +91,9 @@ googleapis-restricted:
         - 199.36.153.5
         - 199.36.153.6
         - 199.36.153.7
+    AAAA:
+      rrdatas:
+        - "2600:2d00:2:1000::"
 gstatic-all:
   dns_name: "*.gstatic.com."
   local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }

fast/stages/2-networking-a-simple/dns-landing.tf

@@ -62,6 +62,19 @@ module "landing-dns-priv-gcp" {
 }
 
 # Google APIs via response policies
+# the zone fixes issues with missing MX/SRV records when forwarding onprem
+
+module "landing-dns-priv-googleapis" {
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "googleapis-com"
+  zone_config = {
+    domain = "googleapis.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
+}
 
 module "landing-dns-policy-googleapis" {
   source     = "../../../modules/dns-response-policy"

fast/stages/2-networking-b-nva/data/dns-policy-rules.yaml

@@ -79,6 +79,9 @@ googleapis-private:
         - 199.36.153.9
         - 199.36.153.10
         - 199.36.153.11
+    AAAA:
+      rrdatas:
+        - "2600:2d00:2:2000::"
 googleapis-restricted:
   dns_name: "restricted.googleapis.com."
   local_data:
@@ -88,6 +91,9 @@ googleapis-restricted:
         - 199.36.153.5
         - 199.36.153.6
         - 199.36.153.7
+    AAAA:
+      rrdatas:
+        - "2600:2d00:2:1000::"
 gstatic-all:
   dns_name: "*.gstatic.com."
   local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }

fast/stages/2-networking-b-nva/dns-landing.tf

@@ -92,6 +92,19 @@ module "landing-dns-priv-gcp" {
 }
 
 # Google APIs via response policies
+# the zone fixes issues with missing MX/SRV records when forwarding onprem
+
+module "landing-dns-priv-googleapis" {
+  source     = "../../../modules/dns"
+  project_id = module.landing-project.project_id
+  name       = "googleapis-com"
+  zone_config = {
+    domain = "googleapis.com."
+    private = {
+      client_networks = [module.landing-vpc.self_link]
+    }
+  }
+}
 
 module "landing-dns-policy-googleapis" {
   source     = "../../../modules/dns-response-policy"

fast/stages/2-networking-c-separate-envs/data/dns-policy-rules.yaml

@@ -79,6 +79,9 @@ googleapis-private:
         - 199.36.153.9
         - 199.36.153.10
         - 199.36.153.11
+    AAAA:
+      rrdatas:
+        - "2600:2d00:2:2000::"
 googleapis-restricted:
   dns_name: "restricted.googleapis.com."
   local_data:
@@ -88,6 +91,9 @@ googleapis-restricted:
         - 199.36.153.5
         - 199.36.153.6
         - 199.36.153.7
+    AAAA:
+      rrdatas:
+        - "2600:2d00:2:1000::"
 gstatic-all:
   dns_name: "*.gstatic.com."
   local_data: { CNAME: { rrdatas: ["private.googleapis.com."] } }

fast/stages/2-networking-c-separate-envs/dns-dev.tf

@@ -62,6 +62,19 @@ module "dev-dns-fwd-onprem-rev-10" {
 }
 
 # Google APIs
+# the zone fixes issues with missing MX/SRV records when forwarding onprem
+
+module "dev-dns-priv-googleapis" {
+  source     = "../../../modules/dns"
+  project_id = module.dev-spoke-project.project_id
+  name       = "googleapis-com"
+  zone_config = {
+    domain = "googleapis.com."
+    private = {
+      client_networks = [module.dev-spoke-vpc.self_link]
+    }
+  }
+}
 
 module "dev-dns-policy-googleapis" {
   source     = "../../../modules/dns-response-policy"

fast/stages/2-networking-c-separate-envs/dns-prod.tf

@@ -62,6 +62,19 @@ module "prod-dns-fwd-onprem-rev-10" {
 }
 
 # Google APIs
+# the zone fixes issues with missing MX/SRV records when forwarding onprem
+
+module "prod-dns-priv-googleapis" {
+  source     = "../../../modules/dns"
+  project_id = module.prod-spoke-project.project_id
+  name       = "googleapis-com"
+  zone_config = {
+    domain = "googleapis.com."
+    private = {
+      client_networks = [module.prod-spoke-vpc.self_link]
+    }
+  }
+}
 
 module "prod-dns-policy-googleapis" {
   source     = "../../../modules/dns-response-policy"