Add context to net-lb-app-int module (#3880)

modules/net-lb-app-int/README.md

@@ -23,6 +23,7 @@ Due to the complexity of the underlying resources, changes to the configuration
   - [SSL Certificates](#ssl-certificates)
   - [Backend Authenticated TLS](#backend-authenticated-tls)
   - [PSC service attachment](#psc-service-attachment)
+  - [Context](#context)
   - [Complex example](#complex-example)
 - [Deploying changes to load balancer configurations](#deploying-changes-to-load-balancer-configurations)
 - [Files](#files)
@@ -777,6 +778,167 @@ module "ilb-l7" {
 # tftest modules=3 resources=10 fixtures=fixtures/compute-vm-group-bc.tf e2e
 ```
 
+### Context
+
+The module supports the contexts interpolation. For example:
+
+```hcl
+module "ilb-l7" {
+  source     = "./fabric/modules/net-lb-app-int"
+  name       = "ilb-test-0"
+  project_id = "$project_ids:test"
+  region     = "$locations:ew8"
+  vpc_config = {
+    network    = "$networks:test"
+    subnetwork = "$subnets:test"
+  }
+  address = "$addresses:test"
+  backend_service_configs = {
+    default = {
+      backends = [
+        { group = "projects/foo-test-0/zones/europe-west8-b/instanceGroups/ig-b" },
+        { group = "ig-c" }
+      ]
+    }
+    neg-cloudrun = {
+      backends      = [{ group = "neg-cloudrun" }]
+      health_checks = []
+    }
+    neg-gce = {
+      backends       = [{ group = "neg-gce" }]
+      balancing_mode = "RATE"
+      max_rate       = { per_endpoint = 10 }
+    }
+    neg-hybrid = {
+      backends       = [{ group = "neg-hybrid" }]
+      balancing_mode = "RATE"
+      max_rate       = { per_endpoint = 10 }
+    }
+    neg-internet = {
+      backends      = [{ group = "neg-internet" }]
+      health_checks = []
+    }
+    neg-psc = {
+      backends      = [{ group = "neg-psc" }]
+      health_checks = []
+    }
+  }
+  group_configs = {
+    ig-c = {
+      zone = "$locations:ew8-c"
+      instances = [
+        "projects/foo-test-0/zones/europe-west8-c/instances/vm-c"
+      ]
+      named_ports = { http = 80 }
+    }
+  }
+  health_check_configs = {
+    default = {
+      http = {
+        host               = "hello.example.org"
+        port_specification = "USE_SERVING_PORT"
+      }
+    }
+  }
+  neg_configs = {
+    neg-cloudrun = {
+      cloudrun = {
+        region = "$locations:ew8"
+        target_service = {
+          name = "hello"
+        }
+      }
+    }
+    neg-gce = {
+      gce = {
+        network    = "$networks:test"
+        subnetwork = "$subnets:test"
+        zone       = "$locations:ew8-b"
+        endpoints = {
+          e-0 = {
+            instance   = "nginx-ew8-b"
+            ip_address = "$addresses:test"
+            port       = 80
+          }
+        }
+      }
+    }
+    neg-hybrid = {
+      hybrid = {
+        network = "$networks:test"
+        zone    = "$locations:ew8-b"
+        endpoints = {
+          e-0 = {
+            ip_address = "$addresses:test-hybrid"
+            port       = 80
+          }
+        }
+      }
+    }
+    neg-internet = {
+      internet = {
+        region   = "$locations:ew8"
+        use_fqdn = true
+        endpoints = {
+          e-0 = {
+            destination = "hello.example.org"
+            port        = 80
+          }
+        }
+      }
+    }
+    neg-psc = {
+      psc = {
+        region         = "$locations:ew8"
+        target_service = "projects/foo-test-0/regions/europe-west8/serviceAttachments/sa"
+        network        = "$networks:test"
+        subnetwork     = "$subnets:test"
+      }
+    }
+  }
+  urlmap_config = {
+    default_service = "default"
+    host_rules = [{
+      hosts        = ["*"]
+      path_matcher = "pathmap"
+    }]
+    path_matchers = {
+      pathmap = {
+        default_service = "default"
+        path_rules = [
+          { paths = ["/cloudrun", "/cloudrun/*"], service = "neg-cloudrun" },
+          { paths = ["/gce", "/gce/*"], service = "neg-gce" },
+          { paths = ["/hybrid", "/hybrid/*"], service = "neg-hybrid" },
+          { paths = ["/internet", "/internet/*"], service = "neg-internet" },
+          { paths = ["/psc", "/psc/*"], service = "neg-psc" },
+        ]
+      }
+    }
+  }
+  context = {
+    addresses = {
+      test        = "10.0.0.10"
+      test-hybrid = "192.168.0.3"
+    }
+    locations = {
+      ew8   = "europe-west8"
+      ew8-b = "europe-west8-b"
+      ew8-c = "europe-west8-c"
+    }
+    networks = {
+      test = "projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0"
+    }
+    project_ids = {
+      test = "foo-test-0"
+    }
+    subnets = {
+      test = "projects/foo-dev-net-spoke-0/regions/europe-west8/subnetworks/gce"
+    }
+  }
+}
+# tftest modules=1 resources=19 inventory=context.yaml
+```
+
 ### Complex example
 
 This example mixes group and NEG backends, and shows how to set HTTPS for specific backends.

modules/net-lb-app-int/groups.tf

@@ -21,7 +21,7 @@ resource "google_compute_instance_group" "default" {
     ? local.project_id
     : each.value.project_id
   )
-  zone        = each.value.zone
+  zone        = try(local.ctx.locations[each.value.zone], each.value.zone)
   name        = coalesce(each.value.name, "${var.name}-${each.key}")
   description = each.value.description
   instances   = each.value.instances

modules/net-lb-app-int/main.tf

@@ -183,12 +183,17 @@ resource "google_compute_network_endpoint_group" "default" {
   description           = var.description
   network_endpoint_type = each.value.type
   network = (
-    each.value.network != null ? each.value.network : local.network
+    each.value.network != null
+    ? try(local.ctx.networks[each.value.network], each.value.network)
+    : local.network
   )
   subnetwork = (
     each.value.type == "NON_GCP_PRIVATE_IP_PORT"
     ? null
-    : coalesce(each.value.subnetwork, local.subnetwork)
+    : coalesce(
+      try(local.ctx.subnets[each.value.subnetwork], each.value.subnetwork),
+      local.subnetwork
+    )
   )
 }
 
@@ -238,8 +243,16 @@ resource "google_compute_region_network_endpoint_group" "psc" {
   //description           = coalesce(each.value.description, var.description)
   network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
   psc_target_service    = each.value.psc.target_service
-  network               = each.value.psc.network
-  subnetwork            = each.value.psc.subnetwork
+  network = (
+    each.value.psc.network == null
+    ? null
+    : try(local.ctx.networks[each.value.psc.network], each.value.psc.network)
+  )
+  subnetwork = (
+    each.value.psc.subnetwork == null
+    ? null
+    : try(local.ctx.subnets[each.value.psc.subnetwork], each.value.psc.subnetwork)
+  )
   lifecycle {
     # ignore until https://github.com/hashicorp/terraform-provider-google/issues/20576 is fixed
     ignore_changes = [psc_data]

tests/modules/net_lb_app_int/examples/context.yaml

@@ -0,0 +1,233 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.ilb-l7.google_compute_forwarding_rule.default:
+    ip_address: 10.0.0.10
+    ip_protocol: TCP
+    load_balancing_scheme: INTERNAL_MANAGED
+    name: ilb-test-0
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    network_tier: PREMIUM
+    port_range: '80'
+    project: foo-test-0
+    region: europe-west8
+    subnetwork: projects/foo-dev-net-spoke-0/regions/europe-west8/subnetworks/gce
+  module.ilb-l7.google_compute_health_check.default["default"]:
+    check_interval_sec: 5
+    description: Terraform managed.
+    healthy_threshold: 2
+    http_health_check:
+    - host: hello.example.org
+      port_specification: USE_SERVING_PORT
+    name: ilb-test-0-default
+    project: foo-test-0
+    timeout_sec: 5
+    unhealthy_threshold: 2
+  module.ilb-l7.google_compute_instance_group.default["ig-c"]:
+    description: Terraform managed.
+    instances:
+    - projects/foo-test-0/zones/europe-west8-c/instances/vm-c
+    name: ilb-test-0-ig-c
+    named_port:
+    - name: http
+      port: 80
+    project: foo-test-0
+    zone: europe-west8-c
+  module.ilb-l7.google_compute_network_endpoint.default["neg-gce-e-0"]:
+    instance: nginx-ew8-b
+    ip_address: $addresses:test
+    network_endpoint_group: ilb-test-0-neg-gce
+    port: 80
+    project: foo-test-0
+    zone: $locations:ew8-b
+  module.ilb-l7.google_compute_network_endpoint.default["neg-hybrid-e-0"]:
+    ip_address: $addresses:test-hybrid
+    network_endpoint_group: ilb-test-0-neg-hybrid
+    port: 80
+    project: foo-test-0
+    zone: $locations:ew8-b
+  module.ilb-l7.google_compute_network_endpoint_group.default["neg-gce"]:
+    description: Terraform managed.
+    name: ilb-test-0-neg-gce
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    network_endpoint_type: GCE_VM_IP_PORT
+    project: foo-test-0
+    subnetwork: projects/foo-dev-net-spoke-0/regions/europe-west8/subnetworks/gce
+    zone: $locations:ew8-b
+  module.ilb-l7.google_compute_network_endpoint_group.default["neg-hybrid"]:
+    description: Terraform managed.
+    name: ilb-test-0-neg-hybrid
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    network_endpoint_type: NON_GCP_PRIVATE_IP_PORT
+    project: foo-test-0
+    zone: $locations:ew8-b
+  module.ilb-l7.google_compute_region_backend_service.default["default"]:
+    backend:
+    - balancing_mode: UTILIZATION
+      capacity_scaler: 1
+      description: Terraform managed.
+      failover: false
+      group: projects/foo-test-0/zones/europe-west8-b/instanceGroups/ig-b
+    - balancing_mode: UTILIZATION
+      capacity_scaler: 1
+      description: Terraform managed.
+      failover: false
+    connection_draining_timeout_sec: 300
+    description: Terraform managed.
+    load_balancing_scheme: INTERNAL_MANAGED
+    name: ilb-test-0-default
+    project: foo-test-0
+    protocol: HTTP
+    region: europe-west8
+  module.ilb-l7.google_compute_region_backend_service.default["neg-cloudrun"]:
+    backend:
+    - balancing_mode: UTILIZATION
+      capacity_scaler: 1
+      description: Terraform managed.
+      failover: false
+    connection_draining_timeout_sec: 300
+    description: Terraform managed.
+    load_balancing_scheme: INTERNAL_MANAGED
+    name: ilb-test-0-neg-cloudrun
+    project: foo-test-0
+    protocol: HTTP
+    region: europe-west8
+  module.ilb-l7.google_compute_region_backend_service.default["neg-gce"]:
+    backend:
+    - balancing_mode: UTILIZATION
+      capacity_scaler: 1
+      description: Terraform managed.
+      failover: false
+    connection_draining_timeout_sec: 300
+    description: Terraform managed.
+    load_balancing_scheme: INTERNAL_MANAGED
+    name: ilb-test-0-neg-gce
+    project: foo-test-0
+    protocol: HTTP
+    region: europe-west8
+  module.ilb-l7.google_compute_region_backend_service.default["neg-hybrid"]:
+    backend:
+    - balancing_mode: UTILIZATION
+      capacity_scaler: 1
+      description: Terraform managed.
+      failover: false
+    connection_draining_timeout_sec: 300
+    description: Terraform managed.
+    load_balancing_scheme: INTERNAL_MANAGED
+    name: ilb-test-0-neg-hybrid
+    project: foo-test-0
+    protocol: HTTP
+    region: europe-west8
+  module.ilb-l7.google_compute_region_backend_service.default["neg-internet"]:
+    backend:
+    - balancing_mode: UTILIZATION
+      capacity_scaler: 1
+      description: Terraform managed.
+      failover: false
+    connection_draining_timeout_sec: 300
+    description: Terraform managed.
+    load_balancing_scheme: INTERNAL_MANAGED
+    name: ilb-test-0-neg-internet
+    project: foo-test-0
+    protocol: HTTP
+    region: europe-west8
+  module.ilb-l7.google_compute_region_backend_service.default["neg-psc"]:
+    backend:
+    - balancing_mode: UTILIZATION
+      capacity_scaler: 1
+      description: Terraform managed.
+      failover: false
+    connection_draining_timeout_sec: 300
+    description: Terraform managed.
+    load_balancing_scheme: INTERNAL_MANAGED
+    name: ilb-test-0-neg-psc
+    project: foo-test-0
+    protocol: HTTP
+    region: europe-west8
+  module.ilb-l7.google_compute_region_network_endpoint.internet["neg-internet-e-0"]:
+    fqdn: hello.example.org
+    port: 80
+    project: foo-test-0
+    region: $locations:ew8
+    region_network_endpoint_group: ilb-test-0-neg-internet
+  module.ilb-l7.google_compute_region_network_endpoint_group.default["neg-cloudrun"]:
+    cloud_run:
+    - service: hello
+    description: Terraform managed.
+    name: ilb-test-0-neg-cloudrun
+    network_endpoint_type: SERVERLESS
+    project: foo-test-0
+    region: $locations:ew8
+  module.ilb-l7.google_compute_region_network_endpoint_group.internet["neg-internet"]:
+    description: Terraform managed.
+    name: ilb-test-0-neg-internet
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    network_endpoint_type: INTERNET_FQDN_PORT
+    project: foo-test-0
+    region: $locations:ew8
+  module.ilb-l7.google_compute_region_network_endpoint_group.psc["neg-psc"]:
+    name: ilb-test-0-neg-psc
+    network: projects/foo-dev-net-spoke-0/global/networks/dev-spoke-0
+    network_endpoint_type: PRIVATE_SERVICE_CONNECT
+    project: foo-test-0
+    psc_target_service: projects/foo-test-0/regions/europe-west8/serviceAttachments/sa
+    region: $locations:ew8
+    subnetwork: projects/foo-dev-net-spoke-0/regions/europe-west8/subnetworks/gce
+  module.ilb-l7.google_compute_region_target_http_proxy.default[0]:
+    description: Terraform managed.
+    name: ilb-test-0
+    project: foo-test-0
+    region: europe-west8
+  module.ilb-l7.google_compute_region_url_map.default:
+    description: Terraform managed.
+    host_rule:
+    - hosts:
+      - '*'
+      path_matcher: pathmap
+    name: ilb-test-0
+    path_matcher:
+    - name: pathmap
+      path_rule:
+      - paths:
+        - /cloudrun
+        - /cloudrun/*
+      - paths:
+        - /gce
+        - /gce/*
+      - paths:
+        - /hybrid
+        - /hybrid/*
+      - paths:
+        - /internet
+        - /internet/*
+      - paths:
+        - /psc
+        - /psc/*
+    project: foo-test-0
+    region: europe-west8
+
+counts:
+  google_compute_forwarding_rule: 1
+  google_compute_health_check: 1
+  google_compute_instance_group: 1
+  google_compute_network_endpoint: 2
+  google_compute_network_endpoint_group: 2
+  google_compute_region_backend_service: 6
+  google_compute_region_network_endpoint: 1
+  google_compute_region_network_endpoint_group: 3
+  google_compute_region_target_http_proxy: 1
+  google_compute_region_url_map: 1
+  modules: 1
+  resources: 19