From ffe635b58f03538b9788e263fbdcbffe1de5a49a Mon Sep 17 00:00:00 2001
From: Miren Esnaola <mirene@google.com>
Date: Wed, 19 Jul 2023 16:01:06 +0200
Subject: [PATCH] enable-logging flag can only be true for public zones

---
 modules/dns/README.md    | 2 +-
 modules/dns/main.tf      | 2 +-
 modules/dns/variables.tf | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/dns/README.md b/modules/dns/README.md
index 4e9a882f5a..307e745152 100644
--- a/modules/dns/README.md
+++ b/modules/dns/README.md
@@ -150,7 +150,7 @@ module "public-dns" {
 | [description](variables.tf#L21) | Domain description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
 | [iam](variables.tf#L27) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>null</code> |
 | [recordsets](variables.tf#L43) | Map of DNS recordsets in \"type name\" => {ttl, [records]} format. | <code title="map&#40;object&#40;&#123;&#10;  ttl     &#61; optional&#40;number, 300&#41;&#10;  records &#61; optional&#40;list&#40;string&#41;&#41;&#10;  geo_routing &#61; optional&#40;list&#40;object&#40;&#123;&#10;    location &#61; string&#10;    records  &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;  wrr_routing &#61; optional&#40;list&#40;object&#40;&#123;&#10;    weight  &#61; number&#10;    records &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [zone_config](variables.tf#L78) | DNS zone configuration. | <code title="object&#40;&#123;&#10;  domain         &#61; string&#10;  enable_logging &#61; optional&#40;bool, false&#41;&#10;  forwarding &#61; optional&#40;object&#40;&#123;&#10;    forwarders      &#61; optional&#40;map&#40;string&#41;&#41;&#10;    client_networks &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  peering &#61; optional&#40;object&#40;&#123;&#10;    client_networks &#61; list&#40;string&#41;&#10;    peer_network    &#61; string&#10;  &#125;&#41;&#41;&#10;  public &#61; optional&#40;object&#40;&#123;&#10;    dnssec_config &#61; optional&#40;object&#40;&#123;&#10;      non_existence &#61; optional&#40;string, &#34;nsec3&#34;&#41;&#10;      state         &#61; string&#10;      key_signing_key &#61; optional&#40;object&#40;&#10;        &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;        &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 2048 &#125;&#10;      &#41;&#10;      zone_signing_key &#61; optional&#40;object&#40;&#10;        &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;        &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 1024 &#125;&#10;      &#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  private &#61; optional&#40;object&#40;&#123;&#10;    client_networks             &#61; list&#40;string&#41;&#10;    service_directory_namespace &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [zone_config](variables.tf#L78) | DNS zone configuration. | <code title="object&#40;&#123;&#10;  domain         &#61; string&#10;  forwarding &#61; optional&#40;object&#40;&#123;&#10;    forwarders      &#61; optional&#40;map&#40;string&#41;&#41;&#10;    client_networks &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  peering &#61; optional&#40;object&#40;&#123;&#10;    client_networks &#61; list&#40;string&#41;&#10;    peer_network    &#61; string&#10;  &#125;&#41;&#41;&#10;  public &#61; optional&#40;object&#40;&#123;&#10;    dnssec_config &#61; optional&#40;object&#40;&#123;&#10;      non_existence &#61; optional&#40;string, &#34;nsec3&#34;&#41;&#10;      state         &#61; string&#10;      key_signing_key &#61; optional&#40;object&#40;&#10;        &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;        &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 2048 &#125;&#10;      &#41;&#10;      zone_signing_key &#61; optional&#40;object&#40;&#10;        &#123; algorithm &#61; string, key_length &#61; number &#125;&#41;,&#10;        &#123; algorithm &#61; &#34;rsasha256&#34;, key_length &#61; 1024 &#125;&#10;      &#41;&#10;    &#125;&#41;&#41;&#10;    enable_logging &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#41;&#10;  private &#61; optional&#40;object&#40;&#123;&#10;    client_networks             &#61; list&#40;string&#41;&#10;    service_directory_namespace &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/dns/main.tf b/modules/dns/main.tf
index d10b63199e..2c4c823031 100644
--- a/modules/dns/main.tf
+++ b/modules/dns/main.tf
@@ -139,7 +139,7 @@ resource "google_dns_managed_zone" "dns_managed_zone" {
     }
   }
   cloud_logging_config {
-    enable_logging = try(var.zone_config.enable_logging, false)
+    enable_logging = try(var.zone_config.public.enable_logging, false)
   }
 }
 
diff --git a/modules/dns/variables.tf b/modules/dns/variables.tf
index 1a9acf02c9..1d06792d23 100644
--- a/modules/dns/variables.tf
+++ b/modules/dns/variables.tf
@@ -79,7 +79,6 @@ variable "zone_config" {
   description = "DNS zone configuration."
   type = object({
     domain         = string
-    enable_logging = optional(bool, false)
     forwarding = optional(object({
       forwarders      = optional(map(string))
       client_networks = list(string)
@@ -101,6 +100,7 @@ variable "zone_config" {
           { algorithm = "rsasha256", key_length = 1024 }
         )
       }))
+      enable_logging = optional(bool, false)
     }))
     private = optional(object({
       client_networks             = list(string)