GoogleCloudPlatform · ludoo · May 4, 2023 · May 3, 2023 · May 3, 2023 · May 3, 2023
diff --git a/fast/stages/2-networking-a-peering/README.md b/fast/stages/2-networking-a-peering/README.md
@@ -130,7 +130,7 @@ DNS configuration is further centralized by leveraging peering zones, so that
 
 - the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
 - the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
-- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
+- Private Google Access is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
   - `private.googleapis.com`
   - `restricted.googleapis.com`
   - `gcr.io`
@@ -382,7 +382,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
 | name | description | modules | resources |
 |---|---|---|---|
 | [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> |  |
-| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> |  |
+| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> |  |
 | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> |  |
 | [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> |  |
 | [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> |  |

diff --git a/fast/stages/2-networking-a-peering/dns-dev.tf b/fast/stages/2-networking-a-peering/dns-dev.tf
@@ -18,7 +18,12 @@
 
 # GCP-specific environment zone
 
-module "dev-dns-private-zone" {
+moved {
+  from = module.dev-dns-private-zone
+  to   = module.dev-dns-priv-example
+}
+
+module "dev-dns-priv-example" {
   source          = "../../../modules/dns"
   project_id      = module.dev-spoke-project.project_id
   type            = "private"
@@ -32,7 +37,12 @@ module "dev-dns-private-zone" {
 
 # root zone peering to landing to centralize configuration; remove if unneeded
 
-module "dev-landing-root-dns-peering" {
+moved {
+  from = module.dev-landing-root-dns-peering
+  to   = module.dev-dns-peer-landing-root
+}
+
+module "dev-dns-peer-landing-root" {
   source          = "../../../modules/dns"
   project_id      = module.dev-spoke-project.project_id
   type            = "peering"
@@ -42,7 +52,12 @@ module "dev-landing-root-dns-peering" {
   peer_network    = module.landing-vpc.self_link
 }
 
-module "dev-reverse-10-dns-peering" {
+moved {
+  from = module.dev-reverse-10-dns-peering
+  to   = module.dev-dns-peer-landing-rev-10
+}
+
+module "dev-dns-peer-landing-rev-10" {
   source          = "../../../modules/dns"
   project_id      = module.dev-spoke-project.project_id
   type            = "peering"

diff --git a/fast/stages/2-networking-a-peering/dns-landing.tf b/fast/stages/2-networking-a-peering/dns-landing.tf
@@ -16,9 +16,27 @@
 
 # tfdoc:file:description Landing DNS zones and peerings setup.
 
+locals {
+  googleapis_domains = {
+    gcr                = "gcr.io."
+    gcr-all            = "*.gcr.io."
+    packages-cloud     = "packages.cloud.google.com."
+    packages-cloud-all = "*.packages.cloud.google.com."
+    pkgdev             = "pkg.dev."
+    pkgdev-all         = "*.pkg.dev."
+    pkigoog            = "pki.goog."
+    pkigoog-all        = "*.pki.goog."
+  }
+}
+
 # forwarding to on-prem DNS resolvers
 
-module "onprem-example-dns-forwarding" {
+moved {
+  from = module.onprem-example-dns-forwarding
+  to   = module.landing-dns-fwd-onprem-example
+}
+
+module "landing-dns-fwd-onprem-example" {
   source          = "../../../modules/dns"
   project_id      = module.landing-project.project_id
   type            = "forwarding"
@@ -28,7 +46,12 @@ module "onprem-example-dns-forwarding" {
   forwarders      = { for ip in var.dns.onprem : ip => null }
 }
 
-module "reverse-10-dns-forwarding" {
+moved {
+  from = module.reverse-10-dns-forwarding
+  to   = module.landing-dns-fwd-onprem-rev-10
+}
+
+module "landing-dns-fwd-onprem-rev-10" {
   source          = "../../../modules/dns"
   project_id      = module.landing-project.project_id
   type            = "forwarding"
@@ -38,7 +61,12 @@ module "reverse-10-dns-forwarding" {
   forwarders      = { for ip in var.dns.onprem : ip => null }
 }
 
-module "gcp-example-dns-private-zone" {
+moved {
+  from = module.gcp-example-dns-private-zone
+  to   = module.landing-dns-priv-gcp
+}
+
+module "landing-dns-priv-gcp" {
   source          = "../../../modules/dns"
   project_id      = module.landing-project.project_id
   type            = "private"
@@ -50,82 +78,43 @@ module "gcp-example-dns-private-zone" {
   }
 }
 
-# Google APIs
-
-module "googleapis-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "private"
-  name            = "googleapis-com"
-  domain          = "googleapis.com."
-  client_networks = [module.landing-vpc.self_link]
-  recordsets = {
-    "A private" = { records = [
-      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
-    ] }
-    "A restricted" = { records = [
-      "199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"
-    ] }
-    "CNAME *" = { records = ["private.googleapis.com."] }
-  }
-}
-
-module "gcrio-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "private"
-  name            = "gcr-io"
-  domain          = "gcr.io."
-  client_networks = [module.landing-vpc.self_link]
-  recordsets = {
-    "A gcr.io." = { ttl = 300, records = [
-      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
-    ] }
-    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
-  }
-}
-
-module "packages-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "private"
-  name            = "packages-cloud"
-  domain          = "packages.cloud.google.com."
-  client_networks = [module.landing-vpc.self_link]
-  recordsets = {
-    "A packages.cloud.google.com." = { ttl = 300, records = [
-      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
-    ] }
-    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
-  }
-}
+# Google APIs via response policies
 
-module "pkgdev-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "private"
-  name            = "pkg-dev"
-  domain          = "pkg.dev."
-  client_networks = [module.landing-vpc.self_link]
-  recordsets = {
-    "A pkg.dev." = { ttl = 300, records = [
-      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
-    ] }
-    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
-  }
-}
-
-module "pkigoog-private-zone" {
-  source          = "../../../modules/dns"
-  project_id      = module.landing-project.project_id
-  type            = "private"
-  name            = "pki-goog"
-  domain          = "pki.goog."
-  client_networks = [module.landing-vpc.self_link]
-  recordsets = {
-    "A pki.goog." = { ttl = 300, records = [
-      "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
-    ] }
-    "CNAME *" = { ttl = 300, records = ["private.googleapis.com."] }
+module "landing-dns-policy-googleapis" {
+  source     = "../../../modules/dns-response-policy"
+  project_id = module.landing-project.project_id
+  name       = "googleapis"
+  networks = {
+    landing = module.landing-vpc.self_link
   }
+  rules = merge(
+    {
+      googleapis-all = {
+        dns_name = "*.googleapis.com."
+        local_data = { CNAME = { rrdatas = [
+          "private.googleapis.com."
+        ] } }
+      }
+      googleapis-private = {
+        dns_name = "private.googleapis.com."
+        local_data = { A = { rrdatas = [
+          "199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"
+        ] } }
+      }
+      googleapis-restricted = {
+        dns_name = "restricted.googleapis.com."
+        local_data = { A = { rrdatas = [
+          "199.36.153.4", "199.36.153.5", "199.36.153.6", "199.36.153.7"
+        ] } }
+      }
+    },
+    {
+      for k, v in local.googleapis_domains : k => {
+        dns_name = v
+        local_data = { CNAME = { rrdatas = [
+          "private.googleapis.com."
+        ] } }
+      }
+    }
+  )
 }
diff --git a/fast/stages/2-networking-a-peering/dns-prod.tf b/fast/stages/2-networking-a-peering/dns-prod.tf
@@ -18,7 +18,12 @@
 
 # GCP-specific environment zone
 
-module "prod-dns-private-zone" {
+moved {
+  from = module.prod-dns-private-zone
+  to   = module.prod-dns-priv-example
+}
+
+module "prod-dns-priv-example" {
   source          = "../../../modules/dns"
   project_id      = module.prod-spoke-project.project_id
   type            = "private"
@@ -32,7 +37,12 @@ module "prod-dns-private-zone" {
 
 # root zone peering to landing to centralize configuration; remove if unneeded
 
-module "prod-landing-root-dns-peering" {
+moved {
+  from = module.prod-landing-root-dns-peering
+  to   = module.prod-dns-peer-landing-root
+}
+
+module "prod-dns-peer-landing-root" {
   source          = "../../../modules/dns"
   project_id      = module.prod-spoke-project.project_id
   type            = "peering"
@@ -42,7 +52,12 @@ module "prod-landing-root-dns-peering" {
   peer_network    = module.landing-vpc.self_link
 }
 
-module "prod-reverse-10-dns-peering" {
+moved {
+  from = module.prod-reverse-10-dns-peering
+  to   = module.prod-dns-peer-landing-rev-10
+}
+
+module "prod-dns-peer-landing-rev-10" {
   source          = "../../../modules/dns"
   project_id      = module.prod-spoke-project.project_id
   type            = "peering"

diff --git a/fast/stages/2-networking-b-vpn/README.md b/fast/stages/2-networking-b-vpn/README.md
@@ -136,7 +136,7 @@ DNS configuration is further centralized by leveraging peering zones, so that
 
 - the hub/landing Cloud DNS hosts configurations for on-prem forwarding, Google API domains, and the top-level private zone/s (e.g. gcp.example.com)
 - the spokes Cloud DNS host configurations for the environment-specific domains (e.g. prod.gcp.example.com), which are bound to the hub/landing leveraging [cross-project binding](https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding); a peering zone for the `.` (root) zone is then created on each spoke, delegating all DNS resolution to hub/landing.
-- Private Google Access is enabled for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
+- Private Google Access is enabled via [DNS Response Policies](https://cloud.google.com/dns/docs/zones/manage-response-policies#create-response-policy-rule) for a selection of the [supported domains](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options), namely
   - `private.googleapis.com`
   - `restricted.googleapis.com`
   - `gcr.io`
@@ -405,7 +405,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
 | name | description | modules | resources |
 |---|---|---|---|
 | [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> |  |
-| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> |  |
+| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> · <code>dns-response-policy</code> |  |
 | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> |  |
 | [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> |  |
 | [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> |  |

diff --git a/fast/stages/2-networking-b-vpn/dns-dev.tf b/fast/stages/2-networking-b-vpn/dns-dev.tf
@@ -18,7 +18,12 @@
 
 # GCP-specific environment zone
 
-module "dev-dns-private-zone" {
+moved {
+  from = module.dev-dns-private-zone
+  to   = module.dev-dns-priv-example
+}
+
+module "dev-dns-priv-example" {
   source          = "../../../modules/dns"
   project_id      = module.dev-spoke-project.project_id
   type            = "private"
@@ -32,7 +37,12 @@ module "dev-dns-private-zone" {
 
 # root zone peering to landing to centralize configuration; remove if unneeded
 
-module "dev-landing-root-dns-peering" {
+moved {
+  from = module.dev-landing-root-dns-peering
+  to   = module.dev-dns-peer-landing-root
+}
+
+module "dev-dns-peer-landing-root" {
   source          = "../../../modules/dns"
   project_id      = module.dev-spoke-project.project_id
   type            = "peering"
@@ -42,7 +52,12 @@ module "dev-landing-root-dns-peering" {
   peer_network    = module.landing-vpc.self_link
 }
 
-module "dev-reverse-10-dns-peering" {
+moved {
+  from = module.dev-reverse-10-dns-peering
+  to   = module.dev-dns-peer-landing-rev-10
+}
+
+module "dev-dns-peer-landing-rev-10" {
   source          = "../../../modules/dns"
   project_id      = module.dev-spoke-project.project_id
   type            = "peering"