From 229b294886a1133898628331dee85f13eca5a871 Mon Sep 17 00:00:00 2001
From: Roberto Jung Drebes <drebes@users.noreply.github.com>
Date: Thu, 4 Dec 2025 17:49:01 +0100
Subject: [PATCH] feat(net-lb-app): support Google-Managed IAP and add tests
 (#3564)

Updates the  dynamic block in load balancer modules to make OAuth2 client fields optional.
This allows enabling Google-Managed IAP by omitting these fields or passing .
Supports migration path by passing  as per Google documentation.

Added test case  to  to verify configuration.
---
 .../backend-service.tf                        |  6 +--
 modules/net-lb-app-ext/backend-service.tf     |  6 +--
 .../backend-service.tf                        |  6 +--
 modules/net-lb-app-int/backend-service.tf     |  6 +--
 tests/modules/net_lb_app_int/iap.tfvars       | 43 +++++++++++++++++++
 tests/modules/net_lb_app_int/iap.yaml         | 20 +++++++++
 6 files changed, 75 insertions(+), 12 deletions(-)
 create mode 100644 tests/modules/net_lb_app_int/iap.tfvars
 create mode 100644 tests/modules/net_lb_app_int/iap.yaml

diff --git a/modules/net-lb-app-ext-regional/backend-service.tf b/modules/net-lb-app-ext-regional/backend-service.tf
index b40258bdf..f002a39d6 100644
--- a/modules/net-lb-app-ext-regional/backend-service.tf
+++ b/modules/net-lb-app-ext-regional/backend-service.tf
@@ -197,9 +197,9 @@ resource "google_compute_region_backend_service" "default" {
     for_each = each.value.iap_config == null ? [] : [each.value.iap_config]
     content {
       enabled                     = true
-      oauth2_client_id            = iap.value.oauth2_client_id
-      oauth2_client_secret        = iap.value.oauth2_client_secret
-      oauth2_client_secret_sha256 = iap.value.oauth2_client_secret_sha256
+      oauth2_client_id            = try(iap.value.oauth2_client_id, null)
+      oauth2_client_secret        = try(iap.value.oauth2_client_secret, null)
+      oauth2_client_secret_sha256 = try(iap.value.oauth2_client_secret_sha256, null)
     }
   }
 
diff --git a/modules/net-lb-app-ext/backend-service.tf b/modules/net-lb-app-ext/backend-service.tf
index 9854e4925..ec9cfabbe 100644
--- a/modules/net-lb-app-ext/backend-service.tf
+++ b/modules/net-lb-app-ext/backend-service.tf
@@ -202,9 +202,9 @@ resource "google_compute_backend_service" "default" {
     for_each = each.value.iap_config == null ? [] : [each.value.iap_config]
     content {
       enabled                     = true
-      oauth2_client_id            = iap.value.oauth2_client_id
-      oauth2_client_secret        = iap.value.oauth2_client_secret
-      oauth2_client_secret_sha256 = iap.value.oauth2_client_secret_sha256
+      oauth2_client_id            = try(iap.value.oauth2_client_id, null)
+      oauth2_client_secret        = try(iap.value.oauth2_client_secret, null)
+      oauth2_client_secret_sha256 = try(iap.value.oauth2_client_secret_sha256, null)
     }
   }
 
diff --git a/modules/net-lb-app-int-cross-region/backend-service.tf b/modules/net-lb-app-int-cross-region/backend-service.tf
index f72fb3918..200971fd7 100644
--- a/modules/net-lb-app-int-cross-region/backend-service.tf
+++ b/modules/net-lb-app-int-cross-region/backend-service.tf
@@ -143,9 +143,9 @@ resource "google_compute_backend_service" "default" {
     for_each = each.value.iap_config == null ? [] : [each.value.iap_config]
     content {
       enabled                     = true
-      oauth2_client_id            = iap.value.oauth2_client_id
-      oauth2_client_secret        = iap.value.oauth2_client_secret
-      oauth2_client_secret_sha256 = iap.value.oauth2_client_secret_sha256
+      oauth2_client_id            = try(iap.value.oauth2_client_id, null)
+      oauth2_client_secret        = try(iap.value.oauth2_client_secret, null)
+      oauth2_client_secret_sha256 = try(iap.value.oauth2_client_secret_sha256, null)
     }
   }
 
diff --git a/modules/net-lb-app-int/backend-service.tf b/modules/net-lb-app-int/backend-service.tf
index 95072ba33..58864adaf 100644
--- a/modules/net-lb-app-int/backend-service.tf
+++ b/modules/net-lb-app-int/backend-service.tf
@@ -164,9 +164,9 @@ resource "google_compute_region_backend_service" "default" {
     for_each = each.value.iap_config == null ? [] : [each.value.iap_config]
     content {
       enabled                     = true
-      oauth2_client_id            = iap.value.oauth2_client_id
-      oauth2_client_secret        = iap.value.oauth2_client_secret
-      oauth2_client_secret_sha256 = iap.value.oauth2_client_secret_sha256
+      oauth2_client_id            = try(iap.value.oauth2_client_id, null)
+      oauth2_client_secret        = try(iap.value.oauth2_client_secret, null)
+      oauth2_client_secret_sha256 = try(iap.value.oauth2_client_secret_sha256, null)
     }
   }
 
diff --git a/tests/modules/net_lb_app_int/iap.tfvars b/tests/modules/net_lb_app_int/iap.tfvars
new file mode 100644
index 000000000..414ecc436
--- /dev/null
+++ b/tests/modules/net_lb_app_int/iap.tfvars
@@ -0,0 +1,43 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+project_id = "my-project"
+name       = "ilb-l7-test"
+region     = "europe-west1"
+vpc_config = {
+  network    = "projects/my-project/global/networks/default"
+  subnetwork = "projects/my-project/regions/europe-west1/subnetworks/default"
+}
+backend_service_configs = {
+  google-managed = {
+    backends   = [{ group = "group-1" }]
+    iap_config = {}
+  }
+  oauth-managed = {
+    backends = [{ group = "group-2" }]
+    iap_config = {
+      oauth2_client_id     = "client-id"
+      oauth2_client_secret = "client-secret"
+    }
+  }
+  migration-mode = {
+    backends = [{ group = "group-3" }]
+    iap_config = {
+      oauth2_client_id     = " "
+      oauth2_client_secret = " "
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/modules/net_lb_app_int/iap.yaml b/tests/modules/net_lb_app_int/iap.yaml
new file mode 100644
index 000000000..ad73b8647
--- /dev/null
+++ b/tests/modules/net_lb_app_int/iap.yaml
@@ -0,0 +1,20 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+counts:
+  google_compute_forwarding_rule: 1
+  google_compute_health_check: 1
+  google_compute_region_backend_service: 3
+  google_compute_region_target_http_proxy: 1
+  google_compute_region_url_map: 1