Terraform Google site verification

Labbots -

Terraform does not have native support to perform google site verification. There is a 3rd party provider which has support to perform site verification using TXT record. The provider does not support site verification using alternative DNS CNAME.

Provider Github : https://github.com/hectorj/terraform-provider-googlesiteverification

Terraform registry : https://registry.terraform.io/providers/hectorj/googlesiteverification/latest

Usage

Add 3rd party provider to your terraform configuration.

terraform {
  required_providers {
    googlesiteverification = {
      source = "hectorj/googlesiteverification"
      version = "0.4.2"
    }
  }
}

Configure terraform for site verification using site verification api and google Cloud DNS

# Variables created for demonstration purpose. These values can be loaded from data providers.
variable subdomain = { default="test" }
variable google_dns_managed_zone_name = { default="example-zone-name" }
variable google_dns_managed_zone_dns_name = { default="example.com" }

# Create new service account
resource "google_service_account" "siteverifier" {
  account_id   = "google-site-verifier"
  display_name = "Google Site verification account"
}

# Generate service account key
resource "google_service_account_key" "siteverifier" {
  service_account_id = google_service_account.siteverifier.name
}

# Initialise provider with service account key
provider googlesiteverification {
  credentials = base64decode(google_service_account_key.siteverifier.private_key)
}

# Enable site verification api
resource "google_project_service" "siteverification" {
  service = "siteverification.googleapis.com"
}

# Request for DNS token from site verification API
data "googlesiteverification_dns_token" "run_sub_domain" {
  domain     = "${var.subdomain}.${var.google_dns_managed_zone_dns_name}"
  depends_on = [google_project_service.siteverification]
}

# Create new DNS record in cloud DNS with the verification token returned from googlesiteverification_dns_token
resource "google_dns_record_set" "run_sub_domain" {
  managed_zone = var.google_dns_managed_zone_name
  name         = data.googlesiteverification_dns_token.run_sub_domain.record_name
  rrdatas      = [data.googlesiteverification_dns_token.run_sub_domain.record_value]
  type         = data.googlesiteverification_dns_token.run_sub_domain.record_type
  ttl          = 60
}

# Request google to verify the newly added verification record
resource "googlesiteverification_dns" "run_sub_domain" {
  domain     = "${var.subdomain}.${var.google_dns_managed_zone_dns_name}"
  token      = data.googlesiteverification_dns_token.run_sub_domain.record_value
}

Cons

  1. The provider seams to not read authentication credentials from gcloud application default and require to pass the credentials as part of the provider initialization.
  2. Only way I got the provider to work is through creating a new service account which seams to work but can't figure out why it doesn't work with default gcloud credentials which has owner access.
  3. The provider only support DNS_TXT verification method and does not support CNAME verification method. Support for DNS_CNAME is required for subdomain which has CNAME already configured.
  4. The provider does not have any useful documentation to refer as of 0.4.2 version of the provider. Hopeful to see some documentations in future releases.