Creates a Managed Zone.


google::dns-managed-zone private-managed-zone-example
    name: "private-managed-zone-example"
    description: "Private Managed Zone Example"
    dns-name: ""
    visibility: "private"

            network: $(google::compute-network managed-zone-network-example)

google::dns-managed-zone public-managed-zone-example
    name: "public-managed-zone-example"
    description: "Public Managed Zone Example"
    dns-name: ""

        state: "on"


Attribute Description
description A mutable string of at most 1024 characters associated with this resource for the user’s convenience. Has no effect on the managed zone’s function. (Required)
dns-name The DNS name of this managed zone, for instance Must be a string ending with a single . at the end. Valid values satisfy the regex: [.+(?<!\\.)\\.\\z].
dnssec-config subresource

DNSSEC configuration. Cannot be set if any of forwarding-config or private-visibility-config is set.

default-key-spec list subresource

Specifies parameters for generating initial DnsKeys for this managed zone.

String mnemonic specifying the DNSSEC algorithm of this key. Valid values are ecdsap256sha256, ecdsap384sha384, rsasha1, rsasha256 or rsasha512.
Length of the keys in bits.
Specifies whether this is a key signing key (KSK) or a zone signing key (ZSK). Key signing keys have the Secure Entry Point flag set and, when active, will only be used to sign resource record sets of type DNSKEY. Zone signing keys do not have the Secure Entry Point flag set and will be used to sign all other types of resource record sets. Valid values are keySigning or zoneSigning. (Required)
Specifies the mechanism for authenticated denial-of-existence responses. Valid values are nsec or nsec3.
Specifies whether DNSSEC is enabled, and what mode it is in. Valid values are on, off or transfer.
forwarding-config subresource

The presence for this field indicates that outbound forwarding is enabled for this zone. The value of this field contains the set of destinations to forward to. Cannot be set if dnssec-config is set.

target-name-server list subresource

List of target name servers to forward to. Cloud DNS will select the best available name server if more than one target is given. (Required)

IPv4 address of a target name server. (Required)
labels map User labels.
name User assigned name for this resource. Must be unique within the project. The name must be 1-63 characters long, must begin with a letter, end with a letter or digit, and only contain lowercase letters, digits or dashes. (Required)
name-server-set Optionally specifies the NameServerSet for this ManagedZone. A NameServerSet is a set of DNS name servers that all host the same ManagedZones. Most users will leave this field unset.
private-visibility-config subresource

For privately visible zones, the set of Virtual Private Cloud resources that the zone is visible from. Cannot be set if dnssec-config is set.

network list subresource

The list of VPC networks that can see this zone. (Required)

network resource

The VPC network to bind to. (Required)

visibility The zone’s visibility: public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources. Valid values are private or public.


Attribute Description
name-servers list Delegate your managed_zone to these virtual name servers.