GoogleCloudPlatform · modular-magician · May 29, 2019 · May 28, 2019 · May 29, 2019 · May 29, 2019
diff --git a/build/ansible b/build/ansible
diff --git a/build/terraform b/build/terraform
diff --git a/build/terraform-beta b/build/terraform-beta
diff --git a/products/dns/api.yaml b/products/dns/api.yaml
@@ -55,6 +55,9 @@ objects:
         description: |
           The DNS name of this managed zone, for instance "example.com.".
         required: true
+      # TODO: Update support for dnssecConfig. Once this is added, property descriptions should be
+      # modified to state that properties (nonExistence, defaultKeySpecs) can only be updated while
+      # the state is "off".
       - !ruby/object:Api::Type::NestedObject
         name: 'dnssecConfig'
         description: DNSSEC configuration
@@ -66,7 +69,7 @@ objects:
           - !ruby/object:Api::Type::Enum
             name: 'nonExistence'
             description: |
-              Specifies the mechanism used to provide authenticated denial-of-existence responses. Output only while state is not OFF. 
+              Specifies the mechanism used to provide authenticated denial-of-existence responses.
             values:
               - "nsec"
               - "nsec3"
@@ -81,7 +84,8 @@ objects:
             name: 'defaultKeySpecs'
             description: |
               Specifies parameters that will be used for generating initial DnsKeys
-              for this ManagedZone. Output only while state is not OFF
+              for this ManagedZone. If you provide a spec for keySigning or zoneSigning,
+              you must also provide one for the other.
             item_type: !ruby/object:Api::Type::NestedObject
               properties:
                 - !ruby/object:Api::Type::Enum

diff --git a/products/dns/terraform.yaml b/products/dns/terraform.yaml
@@ -49,6 +49,10 @@ overrides: !ruby/object:Overrides::ResourceOverrides
           A textual description field. Defaults to 'Managed by Terraform'.
         default_value: 'Managed by Terraform'
         required: false
+      dnssecConfig.defaultKeySpecs: !ruby/object:Overrides::Terraform::PropertyOverride
+        default_from_api: true
+      dnssecConfig.nonExistence: !ruby/object:Overrides::Terraform::PropertyOverride
+        default_from_api: true
       id: !ruby/object:Overrides::Terraform::PropertyOverride
         exclude: true
       nameServerSet: !ruby/object:Overrides::Terraform::PropertyOverride

diff --git a/third_party/terraform/tests/resource_dns_managed_zone_test.go.erb b/third_party/terraform/tests/resource_dns_managed_zone_test.go.erb
@@ -68,6 +68,51 @@ func TestAccDnsManagedZone_privateUpdate(t *testing.T) {
 		},
 	})
 }
+
+func TestAccDnsManagedZone_dnssec_on(t *testing.T) {
+	t.Parallel()
+
+	zoneSuffix := acctest.RandString(10)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckDnsManagedZoneDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccDnsManagedZone_dnssec_on(zoneSuffix),
+			},
+			resource.TestStep{
+				ResourceName:      "google_dns_managed_zone.foobar",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccDnsManagedZone_dnssec_off(t *testing.T) {
+	t.Parallel()
+
+	zoneSuffix := acctest.RandString(10)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckDnsManagedZoneDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccDnsManagedZone_dnssec_off(zoneSuffix),
+			},
+			resource.TestStep{
+				ResourceName:      "google_dns_managed_zone.foobar",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 <% unless version.nil? || version == 'ga' -%>
 func TestAccDnsManagedZone_privateForwardingUpdate(t *testing.T) {
 	t.Parallel()
@@ -114,6 +159,40 @@ resource "google_dns_managed_zone" "foobar" {
 }`, suffix, suffix, description)
 }
 
+func testAccDnsManagedZone_dnssec_on(suffix string) string {
+	return fmt.Sprintf(`
+resource "google_dns_managed_zone" "foobar" {
+  name     = "mzone-test-%s"
+  dns_name = "tf-acctest-%s.hashicorptest.com."
+
+  dnssec_config {
+    state = "on"
+    default_key_specs {
+      algorithm  = "rsasha256"
+      key_length = "2048"
+      key_type   = "zoneSigning"
+    }
+    default_key_specs {
+      algorithm  = "rsasha256"
+      key_length = "2048"
+      key_type   = "keySigning"
+    }
+  }
+}`, suffix, suffix)
+}
+
+func testAccDnsManagedZone_dnssec_off(suffix string) string {
+	return fmt.Sprintf(`
+resource "google_dns_managed_zone" "foobar" {
+  name     = "mzone-test-%s"
+  dns_name = "tf-acctest-%s.hashicorptest.com."
+
+  dnssec_config {
+    state = "off"
+  }
+}`, suffix, suffix)
+}
+
 func testAccDnsManagedZone_privateUpdate(suffix, first_network, second_network string) string {
 	return fmt.Sprintf(`
 resource "google_dns_managed_zone" "private" {
@@ -128,14 +207,6 @@ resource "google_dns_managed_zone" "private" {
     networks {
       network_url = "${google_compute_network.%s.self_link}"
     }
-    dnssec_config {
-      state             = "on"
-      default_key_specs {
-        algorithm       = "rsasha1"
-        key_length      = "128"
-        key_type        = "zoneSigning"
-      }
-    }
   }
 }
+6 −4		lib/ansible/modules/cloud/google/gcp_dns_managed_zone.py
+3 −2		lib/ansible/modules/cloud/google/gcp_dns_managed_zone_facts.py