Update example of usage of Authz Policy (#12724) (#9033)

[upstream:38b66824452ad607339253f2f1f1d714567d6b17] Signed-off-by: Modular Magician <[email protected]>
hashicorp · Jan 10, 2025 · f1747f6 · f1747f6
1 parent 14b35f2
commit f1747f6
Show file tree

Hide file tree

Showing 3 changed files with 207 additions and 0 deletions.
diff --git a/.changelog/12724.txt b/.changelog/12724.txt
@@ -0,0 +1,3 @@
+```release-note: none
+
+```
diff --git a/...le-beta/services/networksecurity/resource_network_security_authz_policy_generated_test.go b/...le-beta/services/networksecurity/resource_network_security_authz_policy_generated_test.go
@@ -83,6 +83,78 @@ resource "google_compute_subnetwork" "proxy_only" {
   network       = google_compute_network.default.id
 }
 
+resource "google_compute_instance" "callouts_instance" {
+  name                = "tf-test-l7-ilb-callouts-ins%{random_suffix}"
+  zone                = "us-west1-a"
+  machine_type        = "e2-small"
+  tags                = ["allow-ssh","load-balanced-backend"]
+  deletion_protection = false
+
+  labels = {
+    "container-vm" = "cos-stable-109-17800-147-54"
+  }
+
+  network_interface {
+    network    = google_compute_network.default.id
+    subnetwork = google_compute_subnetwork.default.id
+    access_config {
+      # add external ip to fetch packages
+    }
+
+  }
+
+  boot_disk {
+    auto_delete  = true
+    initialize_params {
+      type  = "pd-standard"
+      size  = 10
+      image = "https://www.googleapis.com/compute/v1/projects/cos-cloud/global/images/cos-stable-109-17800-147-54"
+    }
+  }
+
+  metadata = {
+    gce-container-declaration = "# DISCLAIMER:\n# This container declaration format is not a public API and may change without\n# notice. Please use gcloud command-line tool or Google Cloud Console to run\n# Containers on Google Compute Engine.\n\nspec:\n  containers:\n  - image: us-docker.pkg.dev/service-extensions/ext-proc/service-callout-basic-example-python:latest\n    name: callouts-vm\n    securityContext:\n      privileged: false\n    stdin: false\n    tty: false\n    volumeMounts: []\n  restartPolicy: Always\n  volumes: []\n"
+    google-logging-enabled = "true"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "google_compute_instance_group" "callouts_instance_group" {
+  name        = "tf-test-l7-ilb-callouts-ins-group%{random_suffix}"
+  description = "Terraform test instance group"
+  zone        = "us-west1-a"
+
+  instances = [
+    google_compute_instance.callouts_instance.id,
+  ]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+
+  named_port {
+    name = "grpc"
+    port = "443"
+  }
+}
+
+resource "google_compute_region_health_check" "callouts_health_check" {
+  name     = "tf-test-l7-ilb-callouts-healthcheck%{random_suffix}"
+  region   = "us-west1"
+
+  http_health_check {
+    port = 80
+  }
+
+  depends_on = [
+    google_compute_region_health_check.default
+  ]
+}
+
 resource "google_compute_address" "default" {
   name         = "tf-test-l7-ilb-ip-address%{random_suffix}"
   project      = "%{project}"
@@ -148,6 +220,13 @@ resource "google_compute_region_backend_service" "authz_extension" {
   protocol              = "HTTP2"
   load_balancing_scheme = "INTERNAL_MANAGED"
   port_name             = "grpc"
+
+  health_checks = [google_compute_region_health_check.callouts_health_check.id] 
+  backend {
+    group = google_compute_instance_group.callouts_instance_group.id
+    balancing_mode = "UTILIZATION"
+    capacity_scaler = 1.0
+  }
 }
 
 resource "google_network_services_authz_extension" "default" {
@@ -181,6 +260,29 @@ resource "google_network_security_authz_policy" "default" {
       resources = [ google_network_services_authz_extension.default.id ]
     }
   }
+
+  http_rules {
+    from {
+      not_sources {
+        principals {
+          exact = "dummy-principal"
+        }
+      }
+    }
+    to {
+      operations {
+        header_set {
+          headers {
+            name = "test-header"
+            value {
+              exact = "test-value"
+              ignore_case = true
+            }
+          }
+        }
+      }
+    }
+  }
 }
 `, context)
 }

diff --git a/website/docs/r/network_security_authz_policy.html.markdown b/website/docs/r/network_security_authz_policy.html.markdown
@@ -54,6 +54,78 @@ resource "google_compute_subnetwork" "proxy_only" {
   network       = google_compute_network.default.id
 }
 
+resource "google_compute_instance" "callouts_instance" {
+  name                = "l7-ilb-callouts-ins"
+  zone                = "us-west1-a"
+  machine_type        = "e2-small"
+  tags                = ["allow-ssh","load-balanced-backend"]
+  deletion_protection = false
+
+  labels = {
+    "container-vm" = "cos-stable-109-17800-147-54"
+  }
+
+  network_interface {
+    network    = google_compute_network.default.id
+    subnetwork = google_compute_subnetwork.default.id
+    access_config {
+      # add external ip to fetch packages
+    }
+
+  }
+
+  boot_disk {
+    auto_delete  = true
+    initialize_params {
+      type  = "pd-standard"
+      size  = 10
+      image = "https://www.googleapis.com/compute/v1/projects/cos-cloud/global/images/cos-stable-109-17800-147-54"
+    }
+  }
+
+  metadata = {
+    gce-container-declaration = "# DISCLAIMER:\n# This container declaration format is not a public API and may change without\n# notice. Please use gcloud command-line tool or Google Cloud Console to run\n# Containers on Google Compute Engine.\n\nspec:\n  containers:\n  - image: us-docker.pkg.dev/service-extensions/ext-proc/service-callout-basic-example-python:latest\n    name: callouts-vm\n    securityContext:\n      privileged: false\n    stdin: false\n    tty: false\n    volumeMounts: []\n  restartPolicy: Always\n  volumes: []\n"
+    google-logging-enabled = "true"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "google_compute_instance_group" "callouts_instance_group" {
+  name        = "l7-ilb-callouts-ins-group"
+  description = "Terraform test instance group"
+  zone        = "us-west1-a"
+
+  instances = [
+    google_compute_instance.callouts_instance.id,
+  ]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+
+  named_port {
+    name = "grpc"
+    port = "443"
+  }
+}
+
+resource "google_compute_region_health_check" "callouts_health_check" {
+  name     = "l7-ilb-callouts-healthcheck"
+  region   = "us-west1"
+
+  http_health_check {
+    port = 80
+  }
+
+  depends_on = [
+    google_compute_region_health_check.default
+  ]
+}
+
 resource "google_compute_address" "default" {
   name         = "l7-ilb-ip-address"
   project      = "my-project-name"
@@ -119,6 +191,13 @@ resource "google_compute_region_backend_service" "authz_extension" {
   protocol              = "HTTP2"
   load_balancing_scheme = "INTERNAL_MANAGED"
   port_name             = "grpc"
+
+  health_checks = [google_compute_region_health_check.callouts_health_check.id] 
+  backend {
+    group = google_compute_instance_group.callouts_instance_group.id
+    balancing_mode = "UTILIZATION"
+    capacity_scaler = 1.0
+  }
 }
 
 resource "google_network_services_authz_extension" "default" {
@@ -152,6 +231,29 @@ resource "google_network_security_authz_policy" "default" {
       resources = [ google_network_services_authz_extension.default.id ]
     }
   }
+
+  http_rules {
+    from {
+      not_sources {
+        principals {
+          exact = "dummy-principal"
+        }
+      }
+    }
+    to {
+      operations {
+        header_set {
+          headers {
+            name = "test-header"
+            value {
+              exact = "test-value"
+              ignore_case = true
+            }
+          }
+        }
+      }
+    }
+  }
 }
 ```