From f1747f60ca0bac545cc50b87217a0bb10b52232e Mon Sep 17 00:00:00 2001
From: The Magician <magic-modules@google.com>
Date: Fri, 10 Jan 2025 10:16:51 -0800
Subject: [PATCH] Update example of usage of Authz Policy (#12724) (#9033)

[upstream:38b66824452ad607339253f2f1f1d714567d6b17]

Signed-off-by: Modular Magician <magic-modules@google.com>
---
 .changelog/12724.txt                          |   3 +
 ...rk_security_authz_policy_generated_test.go | 102 ++++++++++++++++++
 ...etwork_security_authz_policy.html.markdown | 102 ++++++++++++++++++
 3 files changed, 207 insertions(+)
 create mode 100644 .changelog/12724.txt

diff --git a/.changelog/12724.txt b/.changelog/12724.txt
new file mode 100644
index 0000000000..02cbe9972d
--- /dev/null
+++ b/.changelog/12724.txt
@@ -0,0 +1,3 @@
+```release-note: none
+
+```
\ No newline at end of file
diff --git a/google-beta/services/networksecurity/resource_network_security_authz_policy_generated_test.go b/google-beta/services/networksecurity/resource_network_security_authz_policy_generated_test.go
index e114e3fd7e..367bc42e3f 100644
--- a/google-beta/services/networksecurity/resource_network_security_authz_policy_generated_test.go
+++ b/google-beta/services/networksecurity/resource_network_security_authz_policy_generated_test.go
@@ -83,6 +83,78 @@ resource "google_compute_subnetwork" "proxy_only" {
   network       = google_compute_network.default.id
 }
 
+resource "google_compute_instance" "callouts_instance" {
+  name                = "tf-test-l7-ilb-callouts-ins%{random_suffix}"
+  zone                = "us-west1-a"
+  machine_type        = "e2-small"
+  tags                = ["allow-ssh","load-balanced-backend"]
+  deletion_protection = false
+
+  labels = {
+    "container-vm" = "cos-stable-109-17800-147-54"
+  }
+
+  network_interface {
+    network    = google_compute_network.default.id
+    subnetwork = google_compute_subnetwork.default.id
+    access_config {
+      # add external ip to fetch packages
+    }
+
+  }
+
+  boot_disk {
+    auto_delete  = true
+    initialize_params {
+      type  = "pd-standard"
+      size  = 10
+      image = "https://www.googleapis.com/compute/v1/projects/cos-cloud/global/images/cos-stable-109-17800-147-54"
+    }
+  }
+
+  metadata = {
+    gce-container-declaration = "# DISCLAIMER:\n# This container declaration format is not a public API and may change without\n# notice. Please use gcloud command-line tool or Google Cloud Console to run\n# Containers on Google Compute Engine.\n\nspec:\n  containers:\n  - image: us-docker.pkg.dev/service-extensions/ext-proc/service-callout-basic-example-python:latest\n    name: callouts-vm\n    securityContext:\n      privileged: false\n    stdin: false\n    tty: false\n    volumeMounts: []\n  restartPolicy: Always\n  volumes: []\n"
+    google-logging-enabled = "true"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "google_compute_instance_group" "callouts_instance_group" {
+  name        = "tf-test-l7-ilb-callouts-ins-group%{random_suffix}"
+  description = "Terraform test instance group"
+  zone        = "us-west1-a"
+
+  instances = [
+    google_compute_instance.callouts_instance.id,
+  ]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+
+  named_port {
+    name = "grpc"
+    port = "443"
+  }
+}
+
+resource "google_compute_region_health_check" "callouts_health_check" {
+  name     = "tf-test-l7-ilb-callouts-healthcheck%{random_suffix}"
+  region   = "us-west1"
+
+  http_health_check {
+    port = 80
+  }
+
+  depends_on = [
+    google_compute_region_health_check.default
+  ]
+}
+
 resource "google_compute_address" "default" {
   name         = "tf-test-l7-ilb-ip-address%{random_suffix}"
   project      = "%{project}"
@@ -148,6 +220,13 @@ resource "google_compute_region_backend_service" "authz_extension" {
   protocol              = "HTTP2"
   load_balancing_scheme = "INTERNAL_MANAGED"
   port_name             = "grpc"
+
+  health_checks = [google_compute_region_health_check.callouts_health_check.id] 
+  backend {
+    group = google_compute_instance_group.callouts_instance_group.id
+    balancing_mode = "UTILIZATION"
+    capacity_scaler = 1.0
+  }
 }
 
 resource "google_network_services_authz_extension" "default" {
@@ -181,6 +260,29 @@ resource "google_network_security_authz_policy" "default" {
       resources = [ google_network_services_authz_extension.default.id ]
     }
   }
+
+  http_rules {
+    from {
+      not_sources {
+        principals {
+          exact = "dummy-principal"
+        }
+      }
+    }
+    to {
+      operations {
+        header_set {
+          headers {
+            name = "test-header"
+            value {
+              exact = "test-value"
+              ignore_case = true
+            }
+          }
+        }
+      }
+    }
+  }
 }
 `, context)
 }
diff --git a/website/docs/r/network_security_authz_policy.html.markdown b/website/docs/r/network_security_authz_policy.html.markdown
index 12ef6d9ddc..f99c07415e 100644
--- a/website/docs/r/network_security_authz_policy.html.markdown
+++ b/website/docs/r/network_security_authz_policy.html.markdown
@@ -54,6 +54,78 @@ resource "google_compute_subnetwork" "proxy_only" {
   network       = google_compute_network.default.id
 }
 
+resource "google_compute_instance" "callouts_instance" {
+  name                = "l7-ilb-callouts-ins"
+  zone                = "us-west1-a"
+  machine_type        = "e2-small"
+  tags                = ["allow-ssh","load-balanced-backend"]
+  deletion_protection = false
+
+  labels = {
+    "container-vm" = "cos-stable-109-17800-147-54"
+  }
+
+  network_interface {
+    network    = google_compute_network.default.id
+    subnetwork = google_compute_subnetwork.default.id
+    access_config {
+      # add external ip to fetch packages
+    }
+
+  }
+
+  boot_disk {
+    auto_delete  = true
+    initialize_params {
+      type  = "pd-standard"
+      size  = 10
+      image = "https://www.googleapis.com/compute/v1/projects/cos-cloud/global/images/cos-stable-109-17800-147-54"
+    }
+  }
+
+  metadata = {
+    gce-container-declaration = "# DISCLAIMER:\n# This container declaration format is not a public API and may change without\n# notice. Please use gcloud command-line tool or Google Cloud Console to run\n# Containers on Google Compute Engine.\n\nspec:\n  containers:\n  - image: us-docker.pkg.dev/service-extensions/ext-proc/service-callout-basic-example-python:latest\n    name: callouts-vm\n    securityContext:\n      privileged: false\n    stdin: false\n    tty: false\n    volumeMounts: []\n  restartPolicy: Always\n  volumes: []\n"
+    google-logging-enabled = "true"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "google_compute_instance_group" "callouts_instance_group" {
+  name        = "l7-ilb-callouts-ins-group"
+  description = "Terraform test instance group"
+  zone        = "us-west1-a"
+
+  instances = [
+    google_compute_instance.callouts_instance.id,
+  ]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+
+  named_port {
+    name = "grpc"
+    port = "443"
+  }
+}
+
+resource "google_compute_region_health_check" "callouts_health_check" {
+  name     = "l7-ilb-callouts-healthcheck"
+  region   = "us-west1"
+
+  http_health_check {
+    port = 80
+  }
+
+  depends_on = [
+    google_compute_region_health_check.default
+  ]
+}
+
 resource "google_compute_address" "default" {
   name         = "l7-ilb-ip-address"
   project      = "my-project-name"
@@ -119,6 +191,13 @@ resource "google_compute_region_backend_service" "authz_extension" {
   protocol              = "HTTP2"
   load_balancing_scheme = "INTERNAL_MANAGED"
   port_name             = "grpc"
+
+  health_checks = [google_compute_region_health_check.callouts_health_check.id] 
+  backend {
+    group = google_compute_instance_group.callouts_instance_group.id
+    balancing_mode = "UTILIZATION"
+    capacity_scaler = 1.0
+  }
 }
 
 resource "google_network_services_authz_extension" "default" {
@@ -152,6 +231,29 @@ resource "google_network_security_authz_policy" "default" {
       resources = [ google_network_services_authz_extension.default.id ]
     }
   }
+
+  http_rules {
+    from {
+      not_sources {
+        principals {
+          exact = "dummy-principal"
+        }
+      }
+    }
+    to {
+      operations {
+        header_set {
+          headers {
+            name = "test-header"
+            value {
+              exact = "test-value"
+              ignore_case = true
+            }
+          }
+        }
+      }
+    }
+  }
 }
 ```