How to automate Google site verification with terraform

For a number of Google Cloud platform services I need to perform a Google site verification in order to proof that I actually own a domain. Unfortunately, the Google Terraform provider does not provide support for this. In this blog I will show you how to automate this using a custom terraform provider.

Although Google provides the site verification API to automate
the process, the Google terraform provider does not support this. Fortunately, Hector Jusforgues created a Terraform provider specifically for this purpose.

There are a number of ways I can proof I own the domain: by meta tag, HTML file, Google Analytics tracking code, Google Tag Manager container code or DNS records. The provider implements the DNS TXT method.

how to automate?

I automate the verification of ownership of the domain in the following steps:

  1. install the terraform Google site verification plugin
  2. enable the Google site verification API
  3. create a Cloud DNS hosted zone for your domain
  4. register the NS records at the parent domain
  5. insert the TXT record in the Cloud DNS hosted zone
  6. request site verification at Google.

install the plugin

To install the plugin, follow the installation instructions from terraform-provider-google-site-verifier.

create the hosted zone in Cloud DNS

The following Terraform snippet enables the site verification API:

resource google_project_service siteverification {
  service = "siteverification.googleapis.com"
}

create the hosted zone in Cloud DNS

The following Terraform snippet creates the hosted zone in Cloud DNS:

resource "google_dns_managed_zone" "domain" {
  name     = replace(var.domain_name, ".", "-")
  dns_name = "${var.domain_name}."
}

I use a separate hosted zone, as it allows me to maintain the entire hosted zone within Google via Terraform.

register NS records in parent domain

The following Terraform snippet registers the NS records in the parent domain:

data "aws_route53_zone" "parent" {
  name = "${local.parent_domain_name}."
}

resource "aws_route53_record" "domain_ns_records" {
  zone_id = data.aws_route53_zone.parent.zone_id
  name    = "${var.domain_name}."
  type    = "NS"
  ttl     = "60"
  records = google_dns_managed_zone.domain.name_servers
}

In my case, the parent domain is registered in AWS.

insert the validation record in Cloud DNS

The following Terraform snippet requests the required token and
and inserts the validation record in Cloud DNS:

data "google-site-verifier_dns_token" "domain" {
  domain     = var.domain_name
  depends_on = [google_project_service.siteverification]
}

resource "google_dns_record_set" "domain" {
  managed_zone = google_dns_managed_zone.domain.name
  name         = "${data.google-site-verifier_dns_token.domain.record_name}."
  rrdatas      = [data.google-site-verifier_dns_token.domain.record_value]
  type         = data.google-site-verifier_dns_token.domain.record_type
  ttl          = 60
}

request site verification at Google.

The following Terraform snippet requests the site verification at Google:

resource "google-site-verifier_dns" "domain" {
  domain     = var.domain_name
  token      = data.google-site-verifier_dns_token.domain.record_value
  depends_on = [aws_route53_record.domain_ns_records]
}

applying the changes

To apply type:

$ terraform apply --auto-approve
data.aws_route53_zone.parent: Refreshing state...
google_project_service.siteverification: Creating...
google_dns_managed_zone.domain: Creating...
google_dns_managed_zone.domain: Creation complete after 1s [id=projects/binx-demo/managedZones/google-binx-dev]
aws_route53_record.domain_ns_records: Creating...
google_project_service.siteverification: Creation complete after 4s [id=binx-demo/siteverification.googleapis.com]
data.google-site-verifier_dns_token.domain: Refreshing state...
google_dns_record_set.domain: Creating...
aws_route53_record.domain_ns_records: Still creating... [10s elapsed]
google_dns_record_set.domain: Creation complete after 4s [id=google-binx-dev/google.binx.dev./TXT]
aws_route53_record.domain_ns_records: Still creating... [20s elapsed]
aws_route53_record.domain_ns_records: Still creating... [30s elapsed]
aws_route53_record.domain_ns_records: Creation complete after 40s [id=XXXXXXXXXXXX_google.binx.dev._NS]
google-site-verifier_dns.domain: Creating...
google-site-verifier_dns.domain: Still creating... [10s elapsed]
google-site-verifier_dns.domain: Still creating... [20s elapsed]
google-site-verifier_dns.domain: Still creating... [30s elapsed]
google-site-verifier_dns.domain: Still creating... [40s elapsed]
google-site-verifier_dns.domain: Creation complete after 42s [id=google.binx.dev.]

Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

viewing the result

When you go to the site verification website you can see the result and it should look
something like this:

Verification attempts

DateEmailResultMethod
2 minutes ago
9/25/20 7:33:07 PM UTC
Verification succeeded.DNS TXT record
2 minutes ago
9/25/20 7:32:56 PM UTC
Verification failed.DNS TXT record
2 minutes ago
9/25/20 7:32:45 PM UTC
Verification failed.DNS TXT record
2 minutes ago
9/25/20 7:32:36 PM UTC
Verification failed.DNS TXT record
2 minutes ago
9/25/20 7:32:32 PM UTC
Verification failed.DNS TXT record
2 minutes ago
9/25/20 7:32:29 PM UTC
Verification failed.DNS TXT record
2 minutes ago
9/25/20 7:32:27 PM UTC
Verification failed.DNS TXT record

conclusion

With the terraform provider for google site verification
I automated the validation of domain ownership to Google. It would be nice, if the functionality would be part of the standard google provider. If you think so too, please up-vote Add resources to validate a domain #5698.

For the complete source code, see the github repository.

Photo by CDC on Unsplash

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn