fix: enable missing DNS logging (terraform-google-modules#893)

* enable missing DNS logging

* use cbpools to identify the Cloud build network for peering

* add dns admin role and enable dns api

* remove dns admin roles from org level permissions of 4-projects sa

0-bootstrap/cb.tf

@@ -104,6 +104,7 @@ module "tf_source" {
     "appengine.googleapis.com",
     "storage-api.googleapis.com",
     "billingbudgets.googleapis.com",
+    "dns.googleapis.com",
   ]
 
   cloud_source_repos = distinct(concat(local.base_cloud_source_repos, local.cloud_source_repos))

0-bootstrap/modules/cb-private-pool/main.tf

@@ -15,7 +15,7 @@
  */
 
 locals {
-  network_name        = "vpc-b-peer"
+  network_name        = "vpc-b-cbpools"
   private_pool_name   = var.private_worker_pool.name != "" ? var.private_worker_pool.name : "private-pool-${random_string.suffix.result}"
   peered_network_id   = !var.private_worker_pool.enable_network_peering ? "" : var.private_worker_pool.peered_network_id != "" ? var.private_worker_pool.peered_network_id : module.peered_network[0].network_id
   peered_network_name = element(split("/", local.peered_network_id), index(split("/", local.peered_network_id), "networks") + 1, )

0-bootstrap/modules/cb-private-pool/network.tf

@@ -29,7 +29,7 @@ module "peered_network" {
 
   subnets = [
     {
-      subnet_name           = "sb-b-peer-${var.private_worker_pool.region}"
+      subnet_name           = "sb-b-cbpools-${var.private_worker_pool.region}"
       subnet_ip             = var.private_worker_pool.peered_network_subnet_ip
       subnet_region         = var.private_worker_pool.region
       subnet_private_access = "true"
@@ -40,10 +40,22 @@ module "peered_network" {
 
 }
 
+resource "google_dns_policy" "default_policy" {
+  count = var.private_worker_pool.create_peered_network ? 1 : 0
+
+  project                   = var.project_id
+  name                      = "dp-b-cbpools-default-policy"
+  enable_inbound_forwarding = true
+  enable_logging            = true
+  networks {
+    network_url = module.peered_network[0].network_self_link
+  }
+}
+
 resource "google_compute_global_address" "worker_pool_range" {
   count = var.private_worker_pool.enable_network_peering ? 1 : 0
 
-  name          = "ga-b-peer-worker-pool-range"
+  name          = "ga-b-cbpools-worker-pool-range"
   project       = var.project_id
   purpose       = "VPC_PEERING"
   address_type  = "INTERNAL"
@@ -80,7 +92,7 @@ module "firewall_rules" {
   network_name = local.peered_network_id
 
   rules = [{
-    name                    = "fw-b-peer-100-i-a-all-all-all-service-networking"
+    name                    = "fw-b-cbpools-100-i-a-all-all-all-service-networking"
     description             = "allow ingres from the IPs configured for service networking"
     direction               = "INGRESS"
     priority                = 100

0-bootstrap/modules/jenkins-agent/README.md

@@ -51,7 +51,7 @@ module "jenkins_bootstrap" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| activate\_apis | List of APIs to enable in the CICD project. | `list(string)` | <pre>[<br>  "serviceusage.googleapis.com",<br>  "servicenetworking.googleapis.com",<br>  "compute.googleapis.com",<br>  "logging.googleapis.com",<br>  "bigquery.googleapis.com",<br>  "cloudresourcemanager.googleapis.com",<br>  "cloudbilling.googleapis.com",<br>  "iam.googleapis.com",<br>  "admin.googleapis.com",<br>  "appengine.googleapis.com",<br>  "storage-api.googleapis.com"<br>]</pre> | no |
+| activate\_apis | List of APIs to enable in the CICD project. | `list(string)` | <pre>[<br>  "serviceusage.googleapis.com",<br>  "servicenetworking.googleapis.com",<br>  "compute.googleapis.com",<br>  "logging.googleapis.com",<br>  "bigquery.googleapis.com",<br>  "cloudresourcemanager.googleapis.com",<br>  "cloudbilling.googleapis.com",<br>  "iam.googleapis.com",<br>  "admin.googleapis.com",<br>  "appengine.googleapis.com",<br>  "storage-api.googleapis.com",<br>  "dns.googleapis.com"<br>]</pre> | no |
 | bgp\_peer\_asn | BGP ASN for peer cloud routes. | `number` | `"64513"` | no |
 | billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
 | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |

0-bootstrap/modules/jenkins-agent/main.tf

@@ -146,6 +146,16 @@ resource "google_compute_subnetwork" "jenkins_agents_subnet" {
   }
 }
 
+resource "google_dns_policy" "default_policy" {
+  project                   = module.cicd_project.project_id
+  name                      = "dp-b-jenkinsagents-default-policy"
+  enable_inbound_forwarding = true
+  enable_logging            = true
+  networks {
+    network_url = google_compute_network.jenkins_agents.self_link
+  }
+}
+
 resource "google_compute_address" "jenkins_agent_gce_static_ip" {
   // This internal IP address needs to be accessible via the VPN tunnel
   project      = module.cicd_project.project_id

0-bootstrap/modules/jenkins-agent/variables.tf

@@ -184,6 +184,7 @@ variable "activate_apis" {
     "admin.googleapis.com",
     "appengine.googleapis.com",
     "storage-api.googleapis.com",
+    "dns.googleapis.com",
   ]
 }
 

0-bootstrap/sa.tf

@@ -123,6 +123,7 @@ locals {
       "roles/workflows.admin",
       "roles/cloudscheduler.admin",
       "roles/resourcemanager.projectDeleter",
+      "roles/dns.admin",
     ],
   }
 }

4-projects/modules/base_env/example_peering_project.tf

@@ -40,6 +40,10 @@ module "peering_project" {
   project_budget  = var.project_budget
   project_prefix  = local.project_prefix
 
+  activate_apis = [
+    "dns.googleapis.com"
+  ]
+
   # Metadata
   project_suffix    = "sample-peering"
   application_name  = "${var.business_code}-sample-peering"
@@ -59,6 +63,16 @@ module "peering_network" {
   subnets                                = []
 }
 
+resource "google_dns_policy" "default_policy" {
+  project                   = module.peering_project.project_id
+  name                      = "dp-${local.env_code}-peering-base-default-policy"
+  enable_inbound_forwarding = true
+  enable_logging            = true
+  networks {
+    network_url = module.peering_network.network_self_link
+  }
+}
+
 module "peering" {
   source            = "terraform-google-modules/network/google//modules/network-peering"
   version           = "~> 5.0"

test/integration/bootstrap/bootstrap_test.go

@@ -164,7 +164,7 @@ func TestBootstrap(t *testing.T) {
 			assert.Equal("100", pool.Get("privatePoolV1Config.workerConfig.diskSizeGb").String(), "pool %s should have the configured disk size", workerPoolName)
 			assert.Equal(peeredNetworkName, testutils.GetLastSplitElement(pool.Get("privatePoolV1Config.networkConfig.peeredNetwork").String(), "/"), "pool %s should have peered network configured", workerPoolName)
 
-			globalAddressName := "ga-b-peer-worker-pool-range"
+			globalAddressName := "ga-b-cbpools-worker-pool-range"
 			globalAddress := gcloud.Runf(t, "compute addresses describe %s --global --project %s", globalAddressName, cbProjectID)
 			assert.Equal(globalAddressName, globalAddress.Get("name").String(), fmt.Sprintf("global address %s should exist", globalAddressName))
 			assert.Equal("VPC_PEERING", globalAddress.Get("purpose").String(), fmt.Sprintf("global address %s purpose should be VPC peering", globalAddressName))