diff --git a/network_security/intercept/basic/consumer/main.tf b/network_security/intercept/basic/consumer/main.tf
index 9481dc338..cc16d63c0 100644
--- a/network_security/intercept/basic/consumer/main.tf
+++ b/network_security/intercept/basic/consumer/main.tf
@@ -14,6 +14,23 @@
 * limitations under the License.
 */
 
+data "google_project" "default" {
+  provider = google-beta
+}
+
+# In case the project is in a folder, extract the organization ID from it.
+data "google_folder" "default" {
+  provider            = google-beta
+  count               = data.google_project.default.folder_id != "" ? 1 : 0
+  folder              = data.google_project.default.folder_id
+  lookup_organization = true
+}
+
+data "google_organization" "default" {
+  provider     = google-beta
+  organization = data.google_project.default.org_id != "" ? data.google_project.default.org_id : data.google_folder.default[0].organization
+}
+
 # [START networksecurity_intercept_basic_consumer]
 # [START networksecurity_intercept_create_producer_network_tf]
 resource "google_compute_network" "producer_network" {
@@ -31,6 +48,16 @@ resource "google_compute_network" "consumer_network" {
 }
 # [END networksecurity_intercept_create_consumer_network_tf]
 
+# [START networksecurity_intercept_create_consumer_subnetwork_tf]
+resource "google_compute_subnetwork" "consumer_subnet" {
+  provider      = google-beta
+  name          = "consumer-subnet"
+  region        = "us-central1"
+  ip_cidr_range = "10.10.0.0/16"
+  network       = google_compute_network.consumer_network.name
+}
+# [END networksecurity_intercept_create_consumer_subnetwork_tf]
+
 # [START networksecurity_intercept_create_producer_deployment_group_tf]
 resource "google_network_security_intercept_deployment_group" "default" {
   provider                      = google-beta
@@ -58,4 +85,63 @@ resource "google_network_security_intercept_endpoint_group_association" "default
   intercept_endpoint_group                = google_network_security_intercept_endpoint_group.default.id
 }
 # [END networksecurity_intercept_create_endpoint_group_association_tf]
+
+# [START networksecurity_intercept_create_security_profile_tf]
+resource "google_network_security_security_profile" "default" {
+  provider = google-beta
+  name     = "security-profile"
+  type     = "CUSTOM_INTERCEPT"
+  parent   = "organizations/${data.google_organization.default.org_id}"
+  location = "global"
+
+  custom_intercept_profile {
+    intercept_endpoint_group = google_network_security_intercept_endpoint_group.default.id
+  }
+}
+# [END networksecurity_intercept_create_security_profile_tf]
+
+# [START networksecurity_intercept_create_security_profile_group_tf]
+resource "google_network_security_security_profile_group" "default" {
+  provider                 = google-beta
+  name                     = "security-profile-group"
+  parent                   = "organizations/${data.google_organization.default.org_id}"
+  location                 = "global"
+  custom_intercept_profile = google_network_security_security_profile.default.id
+}
+# [END networksecurity_intercept_create_security_profile_group_tf]
+
+# [START networksecurity_intercept_create_firewall_policy_tf]
+resource "google_compute_network_firewall_policy" "default" {
+  provider = google-beta
+  name     = "firewall-policy"
+}
+# [END networksecurity_intercept_create_firewall_policy_tf]
+
+# [START networksecurity_intercept_create_firewall_policy_rule_tf]
+resource "google_compute_network_firewall_policy_rule" "default" {
+  provider               = google-beta
+  firewall_policy        = google_compute_network_firewall_policy.default.name
+  priority               = 1000
+  action                 = "apply_security_profile_group"
+  direction              = "INGRESS"
+  security_profile_group = google_network_security_security_profile_group.default.id
+
+  match {
+    layer4_configs {
+      ip_protocol = "tcp"
+      ports       = ["80"]
+    }
+    src_ip_ranges = ["10.10.0.0/16"]
+  }
+}
+# [END networksecurity_intercept_create_firewall_policy_rule_tf]
+
+# [START networksecurity_intercept_create_firewall_policy_association_tf]
+resource "google_compute_network_firewall_policy_association" "default" {
+  provider          = google-beta
+  name              = "firewall-policy-assoc"
+  attachment_target = google_compute_network.consumer_network.id
+  firewall_policy   = google_compute_network_firewall_policy.default.name
+}
+# [END networksecurity_intercept_create_firewall_policy_association_tf]
 # [END networksecurity_intercept_basic_consumer]
diff --git a/network_security/intercept/basic/consumer/test.yaml b/network_security/intercept/basic/consumer/test.yaml
new file mode 100644
index 000000000..6422ccf42
--- /dev/null
+++ b/network_security/intercept/basic/consumer/test.yaml
@@ -0,0 +1,20 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintTest
+metadata:
+  name: network_security_intercept_basic_consumer
+spec:
+  skip: true