Update example of usage of Authz Policy (#12724)

GoogleCloudPlatform · Jan 10, 2025 · 38b6682 · 38b6682
1 parent b60c430
commit 38b6682
Show file tree

Hide file tree

Showing 2 changed files with 105 additions and 0 deletions.
diff --git a/mmv1/products/networksecurity/AuthzPolicy.yaml b/mmv1/products/networksecurity/AuthzPolicy.yaml
@@ -58,6 +58,9 @@ examples:
       url_name: 'l7-ilb-map'
       target_proxy_name: 'l7-ilb-proxy'
       forwarding_rule_name: 'l7-ilb-forwarding-rule'
+      callouts_instance_name: 'l7-ilb-callouts-ins'
+      callouts_instance_group_name: 'l7-ilb-callouts-ins-group'
+      callouts_health_check_name: 'l7-ilb-callouts-healthcheck'
       backend_authz_name: 'authz-service'
       authz_extension_name: 'my-authz-ext'
     test_env_vars:

diff --git a/mmv1/templates/terraform/examples/network_services_authz_policy_advanced.tf.tmpl b/mmv1/templates/terraform/examples/network_services_authz_policy_advanced.tf.tmpl
@@ -22,6 +22,78 @@ resource "google_compute_subnetwork" "proxy_only" {
   network       = google_compute_network.default.id
 }
 
+resource "google_compute_instance" "callouts_instance" {
+  name                = "{{index $.Vars "callouts_instance_name"}}"
+  zone                = "us-west1-a"
+  machine_type        = "e2-small"
+  tags                = ["allow-ssh","load-balanced-backend"]
+  deletion_protection = false
+
+  labels = {
+    "container-vm" = "cos-stable-109-17800-147-54"
+  }
+
+  network_interface {
+    network    = google_compute_network.default.id
+    subnetwork = google_compute_subnetwork.default.id
+    access_config {
+      # add external ip to fetch packages
+    }
+
+  }
+
+  boot_disk {
+    auto_delete  = true
+    initialize_params {
+      type  = "pd-standard"
+      size  = 10
+      image = "https://www.googleapis.com/compute/v1/projects/cos-cloud/global/images/cos-stable-109-17800-147-54"
+    }
+  }
+
+  metadata = {
+    gce-container-declaration = "# DISCLAIMER:\n# This container declaration format is not a public API and may change without\n# notice. Please use gcloud command-line tool or Google Cloud Console to run\n# Containers on Google Compute Engine.\n\nspec:\n  containers:\n  - image: us-docker.pkg.dev/service-extensions/ext-proc/service-callout-basic-example-python:latest\n    name: callouts-vm\n    securityContext:\n      privileged: false\n    stdin: false\n    tty: false\n    volumeMounts: []\n  restartPolicy: Always\n  volumes: []\n"
+    google-logging-enabled = "true"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "google_compute_instance_group" "callouts_instance_group" {
+  name        = "{{index $.Vars "callouts_instance_group_name"}}"
+  description = "Terraform test instance group"
+  zone        = "us-west1-a"
+
+  instances = [
+    google_compute_instance.callouts_instance.id,
+  ]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+
+  named_port {
+    name = "grpc"
+    port = "443"
+  }
+}
+
+resource "google_compute_region_health_check" "callouts_health_check" {
+  name     = "{{index $.Vars "callouts_health_check_name"}}"
+  region   = "us-west1"
+
+  http_health_check {
+    port = 80
+  }
+
+  depends_on = [
+    google_compute_region_health_check.default
+  ]
+}
+
 resource "google_compute_address" "default" {
   name         = "{{index $.Vars "address_name"}}"
   project      = "{{index $.TestEnvVars "project"}}"
@@ -87,6 +159,13 @@ resource "google_compute_region_backend_service" "authz_extension" {
   protocol              = "HTTP2"
   load_balancing_scheme = "INTERNAL_MANAGED"
   port_name             = "grpc"
+
+  health_checks = [google_compute_region_health_check.callouts_health_check.id] 
+  backend {
+    group = google_compute_instance_group.callouts_instance_group.id
+    balancing_mode = "UTILIZATION"
+    capacity_scaler = 1.0
+  }
 }
 
 resource "google_network_services_authz_extension" "default" {
@@ -120,4 +199,27 @@ resource "google_network_security_authz_policy" "{{$.PrimaryResourceId}}" {
       resources = [ google_network_services_authz_extension.default.id ]
     }
   }
+
+  http_rules {
+    from {
+      not_sources {
+        principals {
+          exact = "dummy-principal"
+        }
+      }
+    }
+    to {
+      operations {
+        header_set {
+          headers {
+            name = "test-header"
+            value {
+              exact = "test-value"
+              ignore_case = true
+            }
+          }
+        }
+      }
+    }
+  }
 }