DNSManagedZone

Property	Value
Google Cloud Service Name	Cloud DNS
Google Cloud Service Documentation	/dns/docs/
Google Cloud REST Resource Name	v1beta2.managedZones
Google Cloud REST Resource Documentation	/dns/docs/reference/v1beta2/managedZones
Config Connector Resource Short Names	gcpdnsmanagedzone gcpdnsmanagedzones dnsmanagedzone
Config Connector Service Name	dns.googleapis.com
Config Connector Resource Fully Qualified Name	dnsmanagedzones.dns.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember	Yes
Supports IAM Conditions	No
Supports IAM Audit Configs	No
IAM External Reference Format	projects/{{project}}/managedZones/{{name}}
Config Connector Default Average Reconcile Interval In Seconds	600

Custom Resource Definition Properties

Annotations

Fields
`cnrm.cloud.google.com/force-destroy`
`cnrm.cloud.google.com/project-id`

Spec

Schema

cloudLoggingConfig:
  enableLogging: boolean
description: string
dnsName: string
dnssecConfig:
  defaultKeySpecs:
  - algorithm: string
    keyLength: integer
    keyType: string
    kind: string
  kind: string
  nonExistence: string
  state: string
forwardingConfig:
  targetNameServers:
  - forwardingPath: string
    ipv4Address: string
peeringConfig:
  targetNetwork:
    networkRef:
      external: string
      name: string
      namespace: string
privateVisibilityConfig:
  gkeClusters:
  - gkeClusterNameRef:
      external: string
      name: string
      namespace: string
  networks:
  - networkRef:
      external: string
      name: string
      namespace: string
resourceID: string
reverseLookup: boolean
serviceDirectoryConfig:
  namespace:
    namespaceUrl: string
visibility: string

Fields

Fields
`cloudLoggingConfig` Optional	`object` Cloud logging configuration.
`cloudLoggingConfig.enableLogging` Required*	`boolean` If set, enable query logging for this ManagedZone. False by default, making logging opt-in.
`description` Optional	`string` A textual description field. Defaults to 'Managed by Config Connector'.
`dnsName` Required	`string` Immutable. The DNS name of this managed zone, for instance "example.com.".
`dnssecConfig` Optional	`object` DNSSEC configuration.
`dnssecConfig.defaultKeySpecs` Optional	`list (object)` Specifies parameters that will be used for generating initial DnsKeys for this ManagedZone. If you provide a spec for keySigning or zoneSigning, you must also provide one for the other. default_key_specs can only be updated when the state is 'off'.
`dnssecConfig.defaultKeySpecs[]` Optional	`object`
`dnssecConfig.defaultKeySpecs[].algorithm` Optional	`string` String mnemonic specifying the DNSSEC algorithm of this key Possible values: ["ecdsap256sha256", "ecdsap384sha384", "rsasha1", "rsasha256", "rsasha512"].
`dnssecConfig.defaultKeySpecs[].keyLength` Optional	`integer` Length of the keys in bits.
`dnssecConfig.defaultKeySpecs[].keyType` Optional	`string` Specifies whether this is a key signing key (KSK) or a zone signing key (ZSK). Key signing keys have the Secure Entry Point flag set and, when active, will only be used to sign resource record sets of type DNSKEY. Zone signing keys do not have the Secure Entry Point flag set and will be used to sign all other types of resource record sets. Possible values: ["keySigning", "zoneSigning"].
`dnssecConfig.defaultKeySpecs[].kind` Optional	`string` Identifies what kind of resource this is.
`dnssecConfig.kind` Optional	`string` Identifies what kind of resource this is.
`dnssecConfig.nonExistence` Optional	`string` Specifies the mechanism used to provide authenticated denial-of-existence responses. non_existence can only be updated when the state is 'off'. Possible values: ["nsec", "nsec3"].
`dnssecConfig.state` Optional	`string` Specifies whether DNSSEC is enabled, and what mode it is in Possible values: ["off", "on", "transfer"].
`forwardingConfig` Optional	`object` The presence for this field indicates that outbound forwarding is enabled for this zone. The value of this field contains the set of destinations to forward to.
`forwardingConfig.targetNameServers` Required*	`list (object)` List of target name servers to forward to. Cloud DNS will select the best available name server if more than one target is given.
`forwardingConfig.targetNameServers[]` Required*	`object`
`forwardingConfig.targetNameServers[].forwardingPath` Optional	`string` Forwarding path for this TargetNameServer. If unset or 'default' Cloud DNS will make forwarding decision based on address ranges, i.e. RFC1918 addresses go to the VPC, Non-RFC1918 addresses go to the Internet. When set to 'private', Cloud DNS will always send queries through VPC for this target Possible values: ["default", "private"].
`forwardingConfig.targetNameServers[].ipv4Address` Required*	`string` IPv4 address of a target name server.
`peeringConfig` Optional	`object` The presence of this field indicates that DNS Peering is enabled for this zone. The value of this field contains the network to peer with.
`peeringConfig.targetNetwork` Required*	`object` The network with which to peer.
`peeringConfig.targetNetwork.networkRef` Required*	`object` VPC network to forward queries to.
`peeringConfig.targetNetwork.networkRef.external` Optional	`string` Allowed value: The `selfLink` field of a `ComputeNetwork` resource.
`peeringConfig.targetNetwork.networkRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`peeringConfig.targetNetwork.networkRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`privateVisibilityConfig` Optional	`object` For privately visible zones, the set of Virtual Private Cloud resources that the zone is visible from. At least one of 'gke_clusters' or 'networks' must be specified.
`privateVisibilityConfig.gkeClusters` Optional	`list (object)` The list of Google Kubernetes Engine clusters that can see this zone.
`privateVisibilityConfig.gkeClusters[]` Optional	`object`
`privateVisibilityConfig.gkeClusters[].gkeClusterNameRef` Required*	`object` The resource name of the cluster to bind this ManagedZone to. This should be specified in the format like 'projects//locations//clusters/*'.
`privateVisibilityConfig.gkeClusters[].gkeClusterNameRef.external` Optional	`string` Allowed value: The `selfLink` field of a `ContainerCluster` resource.
`privateVisibilityConfig.gkeClusters[].gkeClusterNameRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`privateVisibilityConfig.gkeClusters[].gkeClusterNameRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`privateVisibilityConfig.networks` Optional	`list (object)`
`privateVisibilityConfig.networks[]` Optional	`object`
`privateVisibilityConfig.networks[].networkRef` Required*	`object` VPC network to bind to.
`privateVisibilityConfig.networks[].networkRef.external` Optional	`string` Allowed value: The `selfLink` field of a `ComputeNetwork` resource.
`privateVisibilityConfig.networks[].networkRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`privateVisibilityConfig.networks[].networkRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`resourceID` Optional	`string` Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.
`reverseLookup` Optional	`boolean` Immutable. Specifies if this is a managed reverse lookup zone. If true, Cloud DNS will resolve reverse lookup queries using automatically configured records for VPC resources. This only applies to networks listed under 'private_visibility_config'.
`serviceDirectoryConfig` Optional	`object` Immutable. The presence of this field indicates that this zone is backed by Service Directory. The value of this field contains information related to the namespace associated with the zone.
`serviceDirectoryConfig.namespace` Required*	`object` The namespace associated with the zone.
`serviceDirectoryConfig.namespace.namespaceUrl` Required*	`string` The fully qualified or partial URL of the service directory namespace that should be associated with the zone. This should be formatted like 'https://servicedirectory.googleapis.com/v1/projects/{project}/locations/{location}/namespaces/{namespace_id}' or simply 'projects/{project}/locations/{location}/namespaces/{namespace_id}' Ignored for 'public' visibility zones.
`visibility` Optional	`string` Immutable. The zone's visibility: public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources. Default value: "public" Possible values: ["private", "public"].

cloudLoggingConfig

Optional

object

Cloud logging configuration.

cloudLoggingConfig.enableLogging

Required*

boolean

If set, enable query logging for this ManagedZone. False by default, making logging opt-in.

description

Optional

string

A textual description field. Defaults to 'Managed by Config Connector'.

dnsName

Required

string

Immutable. The DNS name of this managed zone, for instance "example.com.".

dnssecConfig

Optional

object

DNSSEC configuration.

dnssecConfig.defaultKeySpecs

Optional

list (object)

Specifies parameters that will be used for generating initial DnsKeys for this ManagedZone. If you provide a spec for keySigning or zoneSigning, you must also provide one for the other. default_key_specs can only be updated when the state is 'off'.

dnssecConfig.defaultKeySpecs[]

Optional

object

dnssecConfig.defaultKeySpecs[].algorithm

Optional

string

String mnemonic specifying the DNSSEC algorithm of this key Possible values: ["ecdsap256sha256", "ecdsap384sha384", "rsasha1", "rsasha256", "rsasha512"].

dnssecConfig.defaultKeySpecs[].keyLength

Optional

integer

Length of the keys in bits.

dnssecConfig.defaultKeySpecs[].keyType

Optional

string

Specifies whether this is a key signing key (KSK) or a zone signing key (ZSK). Key signing keys have the Secure Entry Point flag set and, when active, will only be used to sign resource record sets of type DNSKEY. Zone signing keys do not have the Secure Entry Point flag set and will be used to sign all other types of resource record sets. Possible values: ["keySigning", "zoneSigning"].

dnssecConfig.defaultKeySpecs[].kind

Optional

string

Identifies what kind of resource this is.

dnssecConfig.kind

Optional

string

Identifies what kind of resource this is.

dnssecConfig.nonExistence

Optional

string

Specifies the mechanism used to provide authenticated denial-of-existence responses. non_existence can only be updated when the state is 'off'. Possible values: ["nsec", "nsec3"].

dnssecConfig.state

Optional

string

Specifies whether DNSSEC is enabled, and what mode it is in Possible values: ["off", "on", "transfer"].

forwardingConfig

Optional

object

The presence for this field indicates that outbound forwarding is enabled for this zone. The value of this field contains the set of destinations to forward to.

forwardingConfig.targetNameServers

Required*

list (object)

List of target name servers to forward to. Cloud DNS will select the best available name server if more than one target is given.

forwardingConfig.targetNameServers[]

Required*

object

forwardingConfig.targetNameServers[].forwardingPath

Optional

string

Forwarding path for this TargetNameServer. If unset or 'default' Cloud DNS will make forwarding decision based on address ranges, i.e. RFC1918 addresses go to the VPC, Non-RFC1918 addresses go to the Internet. When set to 'private', Cloud DNS will always send queries through VPC for this target Possible values: ["default", "private"].

forwardingConfig.targetNameServers[].ipv4Address

Required*

string

IPv4 address of a target name server.

peeringConfig

Optional

object

The presence of this field indicates that DNS Peering is enabled for this zone. The value of this field contains the network to peer with.

peeringConfig.targetNetwork

Required*

object

The network with which to peer.

peeringConfig.targetNetwork.networkRef

Required*

object

VPC network to forward queries to.

peeringConfig.targetNetwork.networkRef.external

Optional

string

Allowed value: The `selfLink` field of a `ComputeNetwork` resource.

peeringConfig.targetNetwork.networkRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

peeringConfig.targetNetwork.networkRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

privateVisibilityConfig

Optional

object

For privately visible zones, the set of Virtual Private Cloud resources that the zone is visible from. At least one of 'gke_clusters' or 'networks' must be specified.

privateVisibilityConfig.gkeClusters

Optional

list (object)

The list of Google Kubernetes Engine clusters that can see this zone.

privateVisibilityConfig.gkeClusters[]

Optional

object

privateVisibilityConfig.gkeClusters[].gkeClusterNameRef

Required*

object

The resource name of the cluster to bind this ManagedZone to. This should be specified in the format like 'projects/*/locations/*/clusters/*'.

privateVisibilityConfig.gkeClusters[].gkeClusterNameRef.external

Optional

string

Allowed value: The `selfLink` field of a `ContainerCluster` resource.

privateVisibilityConfig.gkeClusters[].gkeClusterNameRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

privateVisibilityConfig.gkeClusters[].gkeClusterNameRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

privateVisibilityConfig.networks

Optional

list (object)

privateVisibilityConfig.networks[]

Optional

object

privateVisibilityConfig.networks[].networkRef

Required*

object

VPC network to bind to.

privateVisibilityConfig.networks[].networkRef.external

Optional

string

Allowed value: The `selfLink` field of a `ComputeNetwork` resource.

privateVisibilityConfig.networks[].networkRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

privateVisibilityConfig.networks[].networkRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

reverseLookup

Optional

boolean

Immutable. Specifies if this is a managed reverse lookup zone. If true, Cloud DNS will resolve reverse lookup queries using automatically configured records for VPC resources. This only applies to networks listed under 'private_visibility_config'.

serviceDirectoryConfig

Optional

object

Immutable. The presence of this field indicates that this zone is backed by Service Directory. The value of this field contains information related to the namespace associated with the zone.

serviceDirectoryConfig.namespace

Required*

object

The namespace associated with the zone.

serviceDirectoryConfig.namespace.namespaceUrl

Required*

string

The fully qualified or partial URL of the service directory namespace that should be associated with the zone. This should be formatted like 'https://servicedirectory.googleapis.com/v1/projects/{project}/locations/{location}/namespaces/{namespace_id}' or simply 'projects/{project}/locations/{location}/namespaces/{namespace_id}' Ignored for 'public' visibility zones.

visibility

Optional

string

Immutable. The zone's visibility: public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources. Default value: "public" Possible values: ["private", "public"].

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
creationTime: string
managedZoneId: integer
nameServers:
- string
observedGeneration: integer

Fields
`conditions`	`list (object)` Conditions represent the latest available observation of the resource's current state.
`conditions[]`	`object`
`conditions[].lastTransitionTime`	`string` Last time the condition transitioned from one status to another.
`conditions[].message`	`string` Human-readable message indicating details about last transition.
`conditions[].reason`	`string` Unique, one-word, CamelCase reason for the condition's last transition.
`conditions[].status`	`string` Status is the status of the condition. Can be True, False, Unknown.
`conditions[].type`	`string` Type is the type of the condition.
`creationTime`	`string` The time that this resource was created on the server. This is in RFC3339 text format.
`managedZoneId`	`integer` Unique identifier for the resource; defined by the server.
`nameServers`	`list (string)` Delegate your managed_zone to these virtual name servers; defined by the server.
`nameServers[]`	`string`
`observedGeneration`	`integer` ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

Sample YAML(s)

Typical Use Case

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: dns.cnrm.cloud.google.com/v1beta1
kind: DNSManagedZone
metadata:
  labels:
    label-one: "value-one"
  name: dnsmanagedzone-sample
spec:
  description: "Example DNS zone"
  dnsName: "cnrm-dns-example.com."
  visibility: private
  privateVisibilityConfig:
    networks:
      - networkRef:
          name: dnsmanagedzone-dep
---
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeNetwork
metadata:
  name: dnsmanagedzone-dep
spec:
  autoCreateSubnetworks: false