For a number of Google Cloud platform services I need to perform a Google site verification in order to proof that I actually own a domain. Unfortunately, the Google Terraform provider does not provide support for this. In this blog I will show you how to automate this using a custom terraform provider.
Although Google provides the site verification API to automate
the process, the Google terraform provider does not support this. Fortunately, Hector Jusforgues created a Terraform provider specifically for this purpose.
There are a number of ways I can proof I own the domain: by meta tag, HTML file, Google Analytics tracking code, Google Tag Manager container code or DNS records. The provider implements the DNS TXT method.
how to automate?
I automate the verification of ownership of the domain in the following steps:
- install the terraform Google site verification plugin
- enable the Google site verification API
- create a Cloud DNS hosted zone for your domain
- register the NS records at the parent domain
- insert the TXT record in the Cloud DNS hosted zone
- request site verification at Google.
install the plugin
To install the plugin, follow the installation instructions from terraform-provider-googlesiteverification.
terraform {
required_providers {
googlesiteverification = {
source = "hectorj/googlesiteverification"
version = "0.4.2"
}
}
}
enable the Google site verification API
The following Terraform snippet enables the site verification API:
resource google_project_service siteverification {
service = "siteverification.googleapis.com"
}
create the hosted zone in Cloud DNS
The following Terraform snippet creates the hosted zone in Cloud DNS:
resource "google_dns_managed_zone" "domain" {
name = replace(var.domain_name, ".", "-")
dns_name = "${var.domain_name}."
}
I use a separate hosted zone, as it allows me to maintain the entire hosted zone within Google via Terraform.
register NS records in parent domain
The following Terraform snippet registers the NS records in the parent domain:
data "aws_route53_zone" "parent" {
name = "${local.parent_domain_name}."
}
resource "aws_route53_record" "domain_ns_records" {
zone_id = data.aws_route53_zone.parent.zone_id
name = "${var.domain_name}."
type = "NS"
ttl = "60"
records = google_dns_managed_zone.domain.name_servers
}
In my case, the parent domain is registered in AWS.
insert the validation record in Cloud DNS
The following Terraform snippet requests the required token and
and inserts the validation record in Cloud DNS:
data "googlesiteverification_dns_token" "domain" {
domain = var.domain_name
depends_on = [google_project_service.siteverification]
}
resource "google_dns_record_set" "domain" {
managed_zone = google_dns_managed_zone.domain.name
name = "${data.googlesiteverification_dns_token.domain.record_name}."
rrdatas = [data.googlesiteverification_dns_token.domain.record_value]
type = data.googlesiteverification_dns_token.domain.record_type
ttl = 60
}
request site verification at Google.
The following Terraform snippet requests the site verification at Google:
resource "googlesiteverification_dns" "domain" {
domain = var.domain_name
token = data.googlesiteverification_dns_token.domain.record_value
depends_on = [aws_route53_record.domain_ns_records]
}
applying the changes
To apply type:
$ terraform apply --auto-approve
data.aws_route53_zone.parent: Refreshing state...
google_project_service.siteverification: Creating...
google_dns_managed_zone.domain: Creating...
google_dns_managed_zone.domain: Creation complete after 1s [id=projects/binx-demo/managedZones/google-binx-dev]
aws_route53_record.domain_ns_records: Creating...
google_project_service.siteverification: Creation complete after 4s [id=binx-demo/siteverification.googleapis.com]
data.google-site-verifier_dns_token.domain: Refreshing state...
google_dns_record_set.domain: Creating...
aws_route53_record.domain_ns_records: Still creating... [10s elapsed]
google_dns_record_set.domain: Creation complete after 4s [id=google-binx-dev/google.binx.dev./TXT]
aws_route53_record.domain_ns_records: Still creating... [20s elapsed]
aws_route53_record.domain_ns_records: Still creating... [30s elapsed]
aws_route53_record.domain_ns_records: Creation complete after 40s [id=XXXXXXXXXXXX_google.binx.dev._NS]
google-site-verifier_dns.domain: Creating...
google-site-verifier_dns.domain: Still creating... [10s elapsed]
google-site-verifier_dns.domain: Still creating... [20s elapsed]
google-site-verifier_dns.domain: Still creating... [30s elapsed]
google-site-verifier_dns.domain: Still creating... [40s elapsed]
google-site-verifier_dns.domain: Creation complete after 42s [id=google.binx.dev.]
Apply complete! Resources: 5 added, 0 changed, 0 destroyed.
viewing the result
When you go to the site verification website you can see the result and it should look
something like this:
Verification attempts
| Date | Email | Result | Method |
| — | — | — | — |
| 2 minutes ago
9/25/20 7:33:07 PM UTC | google-site-verifier@binx-demo.iam.gserviceaccount.com | Verification succeeded. | DNS TXT record |
| 2 minutes ago
9/25/20 7:32:56 PM UTC | google-site-verifier@binx-demo.iam.gserviceaccount.com | Verification failed. | DNS TXT record |
| 2 minutes ago
9/25/20 7:32:45 PM UTC | google-site-verifier@binx-demo.iam.gserviceaccount.com | Verification failed. | DNS TXT record |
| 2 minutes ago
9/25/20 7:32:36 PM UTC | google-site-verifier@binx-demo.iam.gserviceaccount.com | Verification failed. | DNS TXT record |
| 2 minutes ago
9/25/20 7:32:32 PM UTC | google-site-verifier@binx-demo.iam.gserviceaccount.com | Verification failed. | DNS TXT record |
| 2 minutes ago
9/25/20 7:32:29 PM UTC | google-site-verifier@binx-demo.iam.gserviceaccount.com | Verification failed. | DNS TXT record |
| 2 minutes ago
9/25/20 7:32:27 PM UTC | google-site-verifier@binx-demo.iam.gserviceaccount.com | Verification failed. | DNS TXT record |
conclusion
With the terraform provider for google site verification
I automated the validation of domain ownership to Google. It would be nice, if the functionality would be part of the standard google provider. If you think so too, please up-vote Add resources to validate a domain #5698.
For the complete source code, see the github repository.
Photo by CDC on Unsplash