Merge branch 'main' into notebook_instance

Author: grayside

.github/CODEOWNERS

@@ -7,7 +7,7 @@
 /build/                       @terraform-google-modules/terraform-samples-git-admins @terraform-google-modules/cft-admins @terraform-google-modules/cloud-samples-infra
 
 /bigquery/                    @terraform-google-modules/bigquery-terraform-swe @terraform-google-modules/terraform-samples-reviewers
-/cloud_sql/                   @terraform-google-modules/terraform-samples-reviewers
+/cloud_sql/                   @terraform-google-modules/cloudsql-connectivity @terraform-google-modules/terraform-samples-reviewers
 /cloudvpn/                    @terraform-google-modules/dee-infra @terraform-google-modules/terraform-samples-reviewers
 /composer/                    @terraform-google-modules/cloud-dpes-composer @terraform-google-modules/terraform-samples-reviewers
 /compute/                     @terraform-google-modules/dee-infra @terraform-google-modules/terraform-samples-reviewers

cloud_sql/mysql_instance_psa_psc/main.tf

@@ -91,3 +91,28 @@ resource "google_compute_forwarding_rule" "default" {
 
 # [END cloud_sql_mysql_instance_psa_psc_parent_tag]
 
+// Configure a Cloud SQL MySQL instance with Private Service Connect disabled.
+# [START cloud_sql_mysql_instance_disable_psc_instance]
+resource "google_sql_database_instance" "disable_psc_example" {
+  name             = "mysql-disable-psc-example"
+  region           = "us-central1"
+  database_version = "MYSQL_8_0"
+
+  depends_on = [google_service_networking_connection.default]
+
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      psc_config {
+        psc_enabled               = false
+        allowed_consumer_projects = [] # clear consumer projects
+      }
+      ipv4_enabled    = false
+      private_network = google_compute_network.peering_network.id
+    }
+  }
+  # set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
+  # use of Terraform whereas `deletion_protection_enabled` flag protects this instance at the GCP level.
+  deletion_protection = false
+}
+# [END cloud_sql_mysql_instance_disable_psc_instance]

cloud_sql/postgres_instance_psa_psc/main.tf

@@ -94,3 +94,33 @@ resource "google_compute_forwarding_rule" "default" {
 }
 
 # [END cloud_sql_postgres_instance_psa_psc_parent_tag]
+
+// Configure a Cloud SQL Postgres instance with Private Service Connect disabled.
+# [START cloud_sql_postgres_instance_disable_psc_instance]
+resource "google_sql_database_instance" "disable_psc_example" {
+  name             = "postgres-disable-psc-example"
+  region           = "us-central1"
+  database_version = "POSTGRES_17"
+
+  depends_on = [google_service_networking_connection.default]
+
+  settings {
+    tier              = "db-custom-2-7680"
+    availability_type = "REGIONAL"
+    backup_configuration {
+      enabled = true
+    }
+    ip_configuration {
+      psc_config {
+        psc_enabled               = false
+        allowed_consumer_projects = [] # clear consumer projects
+      }
+      ipv4_enabled    = false
+      private_network = google_compute_network.peering_network.id
+    }
+  }
+  # set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
+  # use of Terraform whereas `deletion_protection_enabled` flag protects this instance at the GCP level.
+  deletion_protection = false # Set to "true" to prevent destruction of the resource
+}
+# [END cloud_sql_postgres_instance_disable_psc_instance]

cloud_sql/sqlserver_instance_psa_psc/main.tf

@@ -92,3 +92,29 @@ resource "google_compute_forwarding_rule" "default" {
 
 # [END cloud_sql_sqlserver_instance_psa_psc_parent_tag]
 
+// Configure a Cloud SQL SQL server instance with Private Service Connect disabled.
+# [START cloud_sql_sqlserver_instance_disable_psc_instance]
+resource "google_sql_database_instance" "disable_psc_example" {
+  name             = "sqlserver-disable-psc-example"
+  region           = "us-central1"
+  database_version = "SQLSERVER_2019_STANDARD"
+  root_password    = "INSERT-PASSWORD-HERE"
+
+  depends_on = [google_service_networking_connection.default]
+
+  settings {
+    tier = "db-custom-2-7680"
+    ip_configuration {
+      psc_config {
+        psc_enabled               = false
+        allowed_consumer_projects = [] # clear consumer projects
+      }
+      ipv4_enabled    = false
+      private_network = google_compute_network.peering_network.id
+    }
+  }
+  # set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
+  # use of Terraform whereas `deletion_protection_enabled` flag protects this instance at the GCP level.
+  deletion_protection = false
+}
+# [END cloud_sql_sqlserver_instance_disable_psc_instance]

gke/standard/regional/hpa-logs/main.tf

@@ -0,0 +1,31 @@
+/**
+* Copyright 2025 Google LLC
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*      http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+# [START gke_standard_regional_hpa_logs]
+resource "google_container_cluster" "default" {
+  name               = "gke-standard-hpa-logs"
+  location           = "us-central1"
+  initial_node_count = 1
+
+  logging_config {
+    enable_components = ["SYSTEM_COMPONENTS", "KCP_HPA"]
+  }
+
+  # Set `deletion_protection` to `true` will ensure that one cannot
+  # accidentally delete this instance by use of Terraform.
+  deletion_protection = false
+}
+# [END gke_standard_regional_hpa_logs]

network_security/intercept/basic/consumer/main.tf

@@ -14,6 +14,23 @@
 * limitations under the License.
 */
 
+data "google_project" "default" {
+  provider = google-beta
+}
+
+# In case the project is in a folder, extract the organization ID from it.
+data "google_folder" "default" {
+  provider            = google-beta
+  count               = data.google_project.default.folder_id != "" ? 1 : 0
+  folder              = data.google_project.default.folder_id
+  lookup_organization = true
+}
+
+data "google_organization" "default" {
+  provider     = google-beta
+  organization = data.google_project.default.org_id != "" ? data.google_project.default.org_id : data.google_folder.default[0].organization
+}
+
 # [START networksecurity_intercept_basic_consumer]
 # [START networksecurity_intercept_create_producer_network_tf]
 resource "google_compute_network" "producer_network" {
@@ -31,6 +48,16 @@ resource "google_compute_network" "consumer_network" {
 }
 # [END networksecurity_intercept_create_consumer_network_tf]
 
+# [START networksecurity_intercept_create_consumer_subnetwork_tf]
+resource "google_compute_subnetwork" "consumer_subnet" {
+  provider      = google-beta
+  name          = "consumer-subnet"
+  region        = "us-central1"
+  ip_cidr_range = "10.10.0.0/16"
+  network       = google_compute_network.consumer_network.name
+}
+# [END networksecurity_intercept_create_consumer_subnetwork_tf]
+
 # [START networksecurity_intercept_create_producer_deployment_group_tf]
 resource "google_network_security_intercept_deployment_group" "default" {
   provider                      = google-beta
@@ -58,4 +85,63 @@ resource "google_network_security_intercept_endpoint_group_association" "default
   intercept_endpoint_group                = google_network_security_intercept_endpoint_group.default.id
 }
 # [END networksecurity_intercept_create_endpoint_group_association_tf]
+
+# [START networksecurity_intercept_create_security_profile_tf]
+resource "google_network_security_security_profile" "default" {
+  provider = google-beta
+  name     = "security-profile"
+  type     = "CUSTOM_INTERCEPT"
+  parent   = "organizations/${data.google_organization.default.org_id}"
+  location = "global"
+
+  custom_intercept_profile {
+    intercept_endpoint_group = google_network_security_intercept_endpoint_group.default.id
+  }
+}
+# [END networksecurity_intercept_create_security_profile_tf]
+
+# [START networksecurity_intercept_create_security_profile_group_tf]
+resource "google_network_security_security_profile_group" "default" {
+  provider                 = google-beta
+  name                     = "security-profile-group"
+  parent                   = "organizations/${data.google_organization.default.org_id}"
+  location                 = "global"
+  custom_intercept_profile = google_network_security_security_profile.default.id
+}
+# [END networksecurity_intercept_create_security_profile_group_tf]
+
+# [START networksecurity_intercept_create_firewall_policy_tf]
+resource "google_compute_network_firewall_policy" "default" {
+  provider = google-beta
+  name     = "firewall-policy"
+}
+# [END networksecurity_intercept_create_firewall_policy_tf]
+
+# [START networksecurity_intercept_create_firewall_policy_rule_tf]
+resource "google_compute_network_firewall_policy_rule" "default" {
+  provider               = google-beta
+  firewall_policy        = google_compute_network_firewall_policy.default.name
+  priority               = 1000
+  action                 = "apply_security_profile_group"
+  direction              = "INGRESS"
+  security_profile_group = google_network_security_security_profile_group.default.id
+
+  match {
+    layer4_configs {
+      ip_protocol = "tcp"
+      ports       = ["80"]
+    }
+    src_ip_ranges = ["10.10.0.0/16"]
+  }
+}
+# [END networksecurity_intercept_create_firewall_policy_rule_tf]
+
+# [START networksecurity_intercept_create_firewall_policy_association_tf]
+resource "google_compute_network_firewall_policy_association" "default" {
+  provider          = google-beta
+  name              = "firewall-policy-assoc"
+  attachment_target = google_compute_network.consumer_network.id
+  firewall_policy   = google_compute_network_firewall_policy.default.name
+}
+# [END networksecurity_intercept_create_firewall_policy_association_tf]
 # [END networksecurity_intercept_basic_consumer]

network_security/intercept/basic/consumer/test.yaml

@@ -0,0 +1,20 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintTest
+metadata:
+  name: network_security_intercept_basic_consumer
+spec:
+  skip: true

network_security/mirroring/basic/consumer/main.tf

@@ -14,26 +14,45 @@
 * limitations under the License.
 */
 
+data "google_project" "default" {}
+
+# In case the project is in a folder, extract the organization ID from it.
+data "google_folder" "default" {
+  count               = data.google_project.default.folder_id != "" ? 1 : 0
+  folder              = data.google_project.default.folder_id
+  lookup_organization = true
+}
+
+data "google_organization" "default" {
+  organization = data.google_project.default.org_id != "" ? data.google_project.default.org_id : data.google_folder.default[0].organization
+}
+
 # [START networksecurity_mirroring_basic_consumer]
 # [START networksecurity_mirroring_create_producer_network_tf]
 resource "google_compute_network" "producer_network" {
-  provider                = google-beta
   name                    = "producer-network"
   auto_create_subnetworks = false
 }
 # [END networksecurity_mirroring_create_producer_network_tf]
 
 # [START networksecurity_mirroring_create_consumer_network_tf]
 resource "google_compute_network" "consumer_network" {
-  provider                = google-beta
   name                    = "consumer-network"
   auto_create_subnetworks = false
 }
 # [END networksecurity_mirroring_create_consumer_network_tf]
 
+# [START networksecurity_mirroring_create_consumer_subnetwork_tf]
+resource "google_compute_subnetwork" "consumer_subnet" {
+  name          = "consumer-subnet"
+  region        = "us-central1"
+  ip_cidr_range = "10.10.0.0/16"
+  network       = google_compute_network.consumer_network.name
+}
+# [END networksecurity_mirroring_create_consumer_subnetwork_tf]
+
 # [START networksecurity_mirroring_create_producer_deployment_group_tf]
 resource "google_network_security_mirroring_deployment_group" "default" {
-  provider                      = google-beta
   mirroring_deployment_group_id = "mirroring-deployment-group"
   location                      = "global"
   network                       = google_compute_network.producer_network.id
@@ -42,7 +61,6 @@ resource "google_network_security_mirroring_deployment_group" "default" {
 
 # [START networksecurity_mirroring_create_endpoint_group_tf]
 resource "google_network_security_mirroring_endpoint_group" "default" {
-  provider                    = google-beta
   mirroring_endpoint_group_id = "mirroring-endpoint-group"
   location                    = "global"
   mirroring_deployment_group  = google_network_security_mirroring_deployment_group.default.id
@@ -51,11 +69,65 @@ resource "google_network_security_mirroring_endpoint_group" "default" {
 
 # [START networksecurity_mirroring_create_endpoint_group_association_tf]
 resource "google_network_security_mirroring_endpoint_group_association" "default" {
-  provider                                = google-beta
   mirroring_endpoint_group_association_id = "mirroring-endpoint-group-association"
   location                                = "global"
   network                                 = google_compute_network.consumer_network.id
   mirroring_endpoint_group                = google_network_security_mirroring_endpoint_group.default.id
 }
 # [END networksecurity_mirroring_create_endpoint_group_association_tf]
+
+# [START networksecurity_mirroring_create_security_profile_tf]
+resource "google_network_security_security_profile" "default" {
+  name     = "security-profile"
+  type     = "CUSTOM_MIRRORING"
+  parent   = "organizations/${data.google_organization.default.org_id}"
+  location = "global"
+
+  custom_mirroring_profile {
+    mirroring_endpoint_group = google_network_security_mirroring_endpoint_group.default.id
+  }
+}
+# [END networksecurity_mirroring_create_security_profile_tf]
+
+# [START networksecurity_mirroring_create_security_profile_group_tf]
+resource "google_network_security_security_profile_group" "default" {
+  name                     = "security-profile-group"
+  parent                   = "organizations/${data.google_organization.default.org_id}"
+  location                 = "global"
+  custom_mirroring_profile = google_network_security_security_profile.default.id
+}
+# [END networksecurity_mirroring_create_security_profile_group_tf]
+
+# [START networksecurity_mirroring_create_firewall_policy_tf]
+resource "google_compute_network_firewall_policy" "default" {
+  name = "firewall-policy"
+}
+# [END networksecurity_mirroring_create_firewall_policy_tf]
+
+# [START networksecurity_mirroring_create_firewall_policy_rule_tf]
+resource "google_compute_network_firewall_policy_packet_mirroring_rule" "default" {
+  provider               = google-beta
+  firewall_policy        = google_compute_network_firewall_policy.default.name
+  priority               = 1000
+  action                 = "mirror"
+  direction              = "INGRESS"
+  security_profile_group = google_network_security_security_profile_group.default.id
+
+  match {
+    layer4_configs {
+      ip_protocol = "tcp"
+      ports       = ["80"]
+    }
+    src_ip_ranges = ["10.10.0.0/16"]
+  }
+}
+# [END networksecurity_mirroring_create_firewall_policy_rule_tf]
+
+# [START networksecurity_mirroring_create_firewall_policy_association_tf]
+resource "google_compute_network_firewall_policy_association" "default" {
+  name              = "firewall-policy-assoc"
+  attachment_target = google_compute_network.consumer_network.id
+  firewall_policy   = google_compute_network_firewall_policy.default.name
+}
+# [END networksecurity_mirroring_create_firewall_policy_association_tf]
 # [END networksecurity_mirroring_basic_consumer]