Add Authz Extension and Authz Policy resources (#12379)

mmv1/products/networkservices/AuthzExtension.yaml

@@ -0,0 +1,153 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'AuthzExtension'
+description: |
+  AuthzExtension is a resource that allows traffic forwarding to a callout backend service to make an authorization decision.
+references:
+  guides:
+  api: 'https://cloud.google.com/service-extensions/docs/reference/rest/v1beta1/projects.locations.authzExtensions'
+docs:
+base_url: 'projects/{{project}}/locations/{{location}}/authzExtensions'
+self_link: 'projects/{{project}}/locations/{{location}}/authzExtensions/{{name}}'
+create_url: 'projects/{{project}}/locations/{{location}}/authzExtensions?authzExtensionId={{name}}'
+update_verb: 'PATCH'
+update_mask: true
+import_format:
+  - 'projects/{{project}}/locations/{{location}}/authzExtensions/{{name}}'
+  - '{{name}}'
+timeouts:
+  insert_minutes: 30
+  update_minutes: 30
+  delete_minutes: 30
+autogen_async: true
+async:
+  actions: ['create', 'delete', 'update']
+  type: 'OpAsync'
+  operation:
+    base_url: '{{op_id}}'
+    path: 'name'
+    wait_ms: 1000
+    timeouts:
+      insert_minutes: 30
+      update_minutes: 30
+      delete_minutes: 30
+  result:
+    path: 'response'
+    resource_inside_response: false
+  error:
+    path: 'error'
+    message: 'message'
+custom_code:
+examples:
+  - name: 'network_services_authz_extension_basic'
+    primary_resource_id: 'default'
+    vars:
+      resource_name: 'my-authz-ext'
+      backend_name: 'authz-service'
+    test_env_vars:
+      project: 'PROJECT_NAME'
+parameters:
+  - name: 'name'
+    type: String
+    description: |
+      Identifier. Name of the AuthzExtension resource.
+    required: true
+    custom_flatten: 'templates/terraform/custom_flatten/name_from_self_link.tmpl'
+    custom_expand: 'templates/terraform/custom_expand/network_services_authz_extensions.tmpl'
+  - name: 'location'
+    type: String
+    description: |
+      The location of the resource.
+    url_param_only: true
+    required: true
+properties:
+  - name: 'createTime'
+    type: Time
+    description: |
+      The timestamp when the resource was created.
+    output: true
+  - name: 'updateTime'
+    type: Time
+    description: |
+      The timestamp when the resource was updated.
+    output: true
+  - name: 'description'
+    type: String
+    description: |
+      A human-readable description of the resource.
+  - name: 'labels'
+    type: KeyValueLabels
+    description: |
+      Set of labels associated with the AuthzExtension resource.
+  - name: 'loadBalancingScheme'
+    type: Enum
+    description: |
+      All backend services and forwarding rules referenced by this extension must share the same load balancing scheme.
+      For more information, refer to [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service).
+    required: true
+    enum_values:
+      - 'INTERNAL_MANAGED'
+      - 'EXTERNAL_MANAGED'
+  - name: 'authority'
+    type: String
+    description: |
+      The :authority header in the gRPC request sent from Envoy to the extension service.
+    required: true
+  - name: 'service'
+    type: ResourceRef
+    description: |
+      The reference to the service that runs the extension.
+      To configure a callout extension, service must be a fully-qualified reference to a [backend service](https://cloud.google.com/compute/docs/reference/rest/v1/backendServices) in the format:
+      https://www.googleapis.com/compute/v1/projects/{project}/regions/{region}/backendServices/{backendService} or https://www.googleapis.com/compute/v1/projects/{project}/global/backendServices/{backendService}.
+    required: true
+    diff_suppress_func: 'tpgresource.ProjectNumberDiffSuppress'
+    resource: 'BackendService'
+    imports: 'selfLink'
+  - name: 'timeout'
+    type: String
+    description: |
+      Specifies the timeout for each individual message on the stream. The timeout must be between 10-10000 milliseconds.
+    required: true
+    diff_suppress_func: 'tpgresource.DurationDiffSuppress'
+  - name: 'failOpen'
+    type: Boolean
+    description: |
+      Determines how the proxy behaves if the call to the extension fails or times out.
+      When set to TRUE, request or response processing continues without error. Any subsequent extensions in the extension chain are also executed. When set to FALSE or the default setting of FALSE is used, one of the following happens:
+      * If response headers have not been delivered to the downstream client, a generic 500 error is returned to the client. The error response can be tailored by configuring a custom error response in the load balancer.
+      * If response headers have been delivered, then the HTTP stream to the downstream client is reset.
+    default_from_api: true
+    send_empty_value: true
+  - name: 'metadata'
+    type: KeyValuePairs
+    description: |
+      The metadata provided here is included as part of the metadata_context (of type google.protobuf.Struct) in the ProcessingRequest message sent to the extension server. The metadata is available under the namespace com.google.authz_extension.<resourceName>. The following variables are supported in the metadata Struct:
+
+      {forwarding_rule_id} - substituted with the forwarding rule's fully qualified resource name.
+  - name: 'forwardHeaders'
+    type: Array
+    description: |
+      List of the HTTP headers to forward to the extension (from the client). If omitted, all headers are sent. Each element is a string indicating the header name.
+    item_type:
+      type: String
+  - name: 'wireFormat'
+    type: Enum
+    description: |
+      The format of communication supported by the callout extension.
+    default_value: "EXT_PROC_GRPC"
+    custom_flatten: 'templates/terraform/custom_flatten/default_if_empty.tmpl'
+    enum_values:
+      - 'WIRE_FORMAT_UNSPECIFIED'
+      - 'EXT_PROC_GRPC'

mmv1/templates/terraform/custom_expand/cloud_iap.tmpl

@@ -0,0 +1,28 @@
+{{/*
+	The license inside this block applies to this file
+	Copyright 2024 Google Inc.
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/ -}}
+func expand{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+		l := v.([]interface{})
+
+		if len(l) == 0 || l[0] == nil {
+			return nil, nil
+		}
+		raw := l[0]
+		original := raw.(map[string]interface{})
+		if isEnabled, ok := original["enabled"]; ok {
+			if !isEnabled.(bool) {
+				return nil, nil
+			}
+		}
+		transformed := make(map[string]interface{})
+		return transformed, nil
+}

mmv1/templates/terraform/custom_expand/network_services_authz_extensions.tmpl

@@ -0,0 +1,15 @@
+{{/*
+	The license inside this block applies to this file
+	Copyright 2024 Google Inc.
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/ -}}
+func expand{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return fmt.Sprintf("projects/%s/locations/%s/authzExtensions/%s", d.Get("project"), d.Get("location"), v), nil
+}

mmv1/templates/terraform/custom_expand/network_services_authz_policies.tmpl

@@ -0,0 +1,15 @@
+{{/*
+	The license inside this block applies to this file
+	Copyright 2024 Google Inc.
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/ -}}
+func expand{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return fmt.Sprintf("projects/%s/locations/%s/authzPolicies/%s", d.Get("project"), d.Get("location"), v), nil
+}

mmv1/templates/terraform/custom_flatten/cloud_iap.tmpl

@@ -0,0 +1,20 @@
+{{/*
+	The license inside this block applies to this file
+	Copyright 2024 Google Inc.
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/ -}}
+func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+		if v == nil {
+			return nil
+		}
+		transformed := make(map[string]interface{})
+		transformed["enabled"] = true
+		return []interface{}{transformed}
+}

mmv1/templates/terraform/examples/network_services_authz_extension_basic.tf.tmpl

@@ -0,0 +1,23 @@
+resource "google_compute_region_backend_service" "default" {
+  name                  = "{{index $.Vars "backend_name"}}"
+  project               = "{{index $.TestEnvVars "project"}}"
+  region                = "us-west1"
+
+  protocol              = "HTTP2"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  port_name             = "grpc"
+}
+
+resource "google_network_services_authz_extension" "{{$.PrimaryResourceId}}" {
+  name     = "{{index $.Vars "resource_name"}}"
+  project  = "{{index $.TestEnvVars "project"}}"
+  location = "us-west1"
+
+  description           = "my description"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  authority             = "ext11.com"
+  service               = google_compute_region_backend_service.default.self_link
+  timeout               = "0.1s"
+  fail_open             = false
+  forward_headers       = ["Authorization"]
+}

mmv1/templates/terraform/examples/network_services_authz_policy_advanced.tf.tmpl

@@ -0,0 +1,123 @@
+resource "google_compute_network" "default" {
+  name                    = "{{index $.Vars "network_name"}}"
+  project                 = "{{index $.TestEnvVars "project"}}"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "default" {
+  name          = "{{index $.Vars "subnet_name"}}"
+  project       = "{{index $.TestEnvVars "project"}}"
+  region        = "us-west1"
+  ip_cidr_range = "10.1.2.0/24"
+  network       = google_compute_network.default.id
+}
+
+resource "google_compute_subnetwork" "proxy_only" {
+  name          = "{{index $.Vars "proxy_subnet_name"}}"
+  project       = "{{index $.TestEnvVars "project"}}"
+  region        = "us-west1"
+  ip_cidr_range = "10.129.0.0/23"
+  purpose       = "REGIONAL_MANAGED_PROXY"
+  role          = "ACTIVE"
+  network       = google_compute_network.default.id
+}
+
+resource "google_compute_address" "default" {
+  name         = "{{index $.Vars "address_name"}}"
+  project      = "{{index $.TestEnvVars "project"}}"
+  region       = "us-west1"
+  subnetwork   = google_compute_subnetwork.default.id
+  address_type = "INTERNAL"
+  purpose      = "GCE_ENDPOINT"
+}
+
+resource "google_compute_region_health_check" "default" {
+  name    = "{{index $.Vars "health_check_name"}}"
+  project = "{{index $.TestEnvVars "project"}}"
+  region  = "us-west1"
+
+  http_health_check {
+    port_specification = "USE_SERVING_PORT"
+  }
+}
+
+resource "google_compute_region_backend_service" "url_map" {
+  name                  = "{{index $.Vars "backend_url_name"}}"
+  project               = "{{index $.TestEnvVars "project"}}"
+  region                = "us-west1"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+
+  health_checks = [google_compute_region_health_check.default.id]
+}
+
+resource "google_compute_region_url_map" "default" {
+  name            = "{{index $.Vars "url_name"}}"
+  project         = "{{index $.TestEnvVars "project"}}"
+  region          = "us-west1"
+  default_service = google_compute_region_backend_service.url_map.id
+}
+
+resource "google_compute_region_target_http_proxy" "default" {
+  name    = "{{index $.Vars "target_proxy_name"}}"
+  project = "{{index $.TestEnvVars "project"}}"
+  region  = "us-west1"
+  url_map = google_compute_region_url_map.default.id
+}
+
+resource "google_compute_forwarding_rule" "default" {
+  name                  = "{{index $.Vars "forwarding_rule_name"}}"
+  project               = "{{index $.TestEnvVars "project"}}"
+  region                = "us-west1"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  network               = google_compute_network.default.id
+  subnetwork            = google_compute_subnetwork.default.id
+  ip_protocol           = "TCP"
+  port_range            = "80"
+  target                = google_compute_region_target_http_proxy.default.id
+  ip_address            = google_compute_address.default.id
+
+  depends_on = [google_compute_subnetwork.proxy_only]
+}
+
+resource "google_compute_region_backend_service" "authz_extension" {
+  name    = "{{index $.Vars "backend_authz_name"}}"
+  project = "{{index $.TestEnvVars "project"}}"
+  region  = "us-west1"
+
+  protocol              = "HTTP2"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  port_name             = "grpc"
+}
+
+resource "google_network_services_authz_extension" "default" {
+  name     = "{{index $.Vars "authz_extension_name"}}"
+  project  = "{{index $.TestEnvVars "project"}}"
+  location = "us-west1"
+
+  description           = "my description"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  authority             = "ext11.com"
+  service               = google_compute_region_backend_service.authz_extension.self_link
+  timeout               = "0.1s"
+  fail_open             = false
+  forward_headers       = ["Authorization"]
+}
+
+resource "google_network_security_authz_policy" "{{$.PrimaryResourceId}}" {
+  name        = "{{index $.Vars "resource_name"}}"
+  project     = "{{index $.TestEnvVars "project"}}"
+  location    = "us-west1"
+  description = "my description"
+
+  target {
+    load_balancing_scheme = "INTERNAL_MANAGED"
+    resources = [ google_compute_forwarding_rule.default.self_link ]
+  }
+
+  action = "CUSTOM"
+  custom_provider {
+    authz_extension {
+      resources = [ google_network_services_authz_extension.default.id ]
+    }
+  }
+}