Add net-lb-proxy-int-cross-region module and tests (#4017)

* Add net-lb-proxy-int-cross-region module and tests

* Add context support example and tests

* Update copyright to 2026 and support instance group backends

* docs: correct Instance Groups support note in README

tests/modules/net_lb_proxy_int_cross_region/common.tfvars

@@ -0,0 +1,14 @@
+name       = "proxy-cr-test"
+project_id = "my-project"
+backend_service_config = {
+  backends = [{
+    group = "projects/myprj/zones/europe-west1-a/instanceGroups/my-ig"
+  }]
+}
+vpc_config = {
+  network = "network"
+  subnetworks = {
+    europe-west1 = "subnet-ew1"
+    europe-west4 = "subnet-ew4"
+  }
+}

tests/modules/net_lb_proxy_int_cross_region/context.tfvars

@@ -0,0 +1,56 @@
+name       = "proxy-cr-ctx-test"
+project_id = "$project_ids:my-project"
+
+context = {
+  project_ids = {
+    my-project = "concrete-project-id"
+  }
+  networks = {
+    my-vpc = "projects/concrete-project-id/global/networks/concrete-vpc"
+  }
+  subnets = {
+    my-subnet-1 = "projects/concrete-project-id/regions/europe-west1/subnetworks/concrete-subnet-1"
+    my-subnet-2 = "projects/concrete-project-id/regions/europe-west4/subnetworks/concrete-subnet-2"
+  }
+  addresses = {
+    my-addr-1 = "10.0.0.10"
+  }
+}
+
+vpc_config = {
+  network = "$networks:my-vpc"
+  subnetworks = {
+    europe-west1 = "$subnets:my-subnet-1"
+    europe-west4 = "$subnets:my-subnet-2"
+  }
+}
+
+addresses = {
+  europe-west1 = "$addresses:my-addr-1"
+}
+
+neg_configs = {
+  neg-a = {
+    gce = {
+      zone       = "europe-west1-b"
+      network    = "$networks:my-vpc"
+      subnetwork = "$subnets:my-subnet-1"
+      endpoints = {
+        vm-a = {
+          instance   = "my-vm-a"
+          ip_address = "10.0.0.2"
+          port       = 80
+        }
+      }
+    }
+  }
+}
+
+backend_service_config = {
+  backends = [{
+    group = "neg-a"
+    max_connections = {
+      per_endpoint = 100
+    }
+  }]
+}

tests/modules/net_lb_proxy_int_cross_region/context.yaml

@@ -0,0 +1,174 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_compute_backend_service.default:
+    affinity_cookie_ttl_sec: null
+    backend:
+    - balancing_mode: CONNECTION
+      capacity_scaler: 1
+      custom_metrics: []
+      description: Terraform managed.
+      max_connections_per_endpoint: 100
+      preference: ''
+      traffic_duration: ''
+    circuit_breakers: []
+    compression_mode: null
+    connection_draining_timeout_sec: 300
+    consistent_hash: []
+    custom_metrics: []
+    custom_request_headers: null
+    custom_response_headers: null
+    deletion_policy: DELETE
+    description: Terraform managed.
+    dynamic_forwarding: []
+    edge_security_policy: null
+    enable_cdn: null
+    external_managed_migration_state: null
+    external_managed_migration_testing_percentage: null
+    ip_address_selection_policy: null
+    load_balancing_scheme: INTERNAL_MANAGED
+    locality_lb_policies: []
+    locality_lb_policy: null
+    max_stream_duration: []
+    name: proxy-cr-ctx-test
+    network_pass_through_lb_traffic_policy: []
+    outlier_detection: []
+    params: []
+    project: concrete-project-id
+    protocol: TCP
+    security_policy: null
+    security_settings: []
+    service_lb_policy: null
+    session_affinity: NONE
+    strong_session_affinity_cookie: []
+    timeouts: null
+    tls_settings: []
+  google_compute_global_forwarding_rule.default["europe-west1"]:
+    allow_psc_global_access: null
+    deletion_policy: DELETE
+    description: Terraform managed.
+    external_managed_backend_bucket_migration_state: null
+    external_managed_backend_bucket_migration_testing_percentage: null
+    ip_address: 10.0.0.10
+    ip_protocol: TCP
+    ip_version: null
+    labels: null
+    load_balancing_scheme: INTERNAL_MANAGED
+    metadata_filters: []
+    name: proxy-cr-ctx-test-europe-west1
+    network: projects/concrete-project-id/global/networks/concrete-vpc
+    no_automate_dns_zone: null
+    port_range: '80'
+    project: concrete-project-id
+    source_ip_ranges: null
+    subnetwork: projects/concrete-project-id/regions/europe-west1/subnetworks/concrete-subnet-1
+    timeouts: null
+  google_compute_global_forwarding_rule.default["europe-west4"]:
+    allow_psc_global_access: null
+    deletion_policy: DELETE
+    description: Terraform managed.
+    external_managed_backend_bucket_migration_state: null
+    external_managed_backend_bucket_migration_testing_percentage: null
+    ip_protocol: TCP
+    ip_version: null
+    labels: null
+    load_balancing_scheme: INTERNAL_MANAGED
+    metadata_filters: []
+    name: proxy-cr-ctx-test-europe-west4
+    network: projects/concrete-project-id/global/networks/concrete-vpc
+    no_automate_dns_zone: null
+    port_range: '80'
+    project: concrete-project-id
+    source_ip_ranges: null
+    subnetwork: projects/concrete-project-id/regions/europe-west4/subnetworks/concrete-subnet-2
+    timeouts: null
+  google_compute_health_check.default[0]:
+    check_interval_sec: 5
+    deletion_policy: DELETE
+    description: Terraform managed.
+    grpc_health_check: []
+    grpc_tls_health_check: []
+    healthy_threshold: 2
+    http2_health_check: []
+    http_health_check: []
+    https_health_check: []
+    name: proxy-cr-ctx-test
+    project: concrete-project-id
+    source_regions: null
+    ssl_health_check: []
+    tcp_health_check:
+    - port: null
+      port_name: null
+      port_specification: USE_SERVING_PORT
+      proxy_header: NONE
+      request: null
+      response: null
+    timeout_sec: 5
+    timeouts: null
+    unhealthy_threshold: 2
+  google_compute_network_endpoint.default["neg-a-vm-a"]:
+    deletion_policy: DELETE
+    instance: my-vm-a
+    ip_address: 10.0.0.2
+    network_endpoint_group: proxy-cr-ctx-test-neg-a
+    port: 80
+    project: concrete-project-id
+    timeouts: null
+    zone: europe-west1-b
+  google_compute_network_endpoint_group.default["neg-a"]:
+    default_port: null
+    deletion_policy: DELETE
+    description: null
+    name: proxy-cr-ctx-test-neg-a
+    network: projects/concrete-project-id/global/networks/concrete-vpc
+    network_endpoint_type: GCE_VM_IP_PORT
+    project: concrete-project-id
+    subnetwork: projects/concrete-project-id/regions/europe-west1/subnetworks/concrete-subnet-1
+    timeouts: null
+    zone: europe-west1-b
+  google_compute_target_tcp_proxy.default:
+    deletion_policy: DELETE
+    description: Terraform managed.
+    name: proxy-cr-ctx-test
+    project: concrete-project-id
+    proxy_header: NONE
+    timeouts: null
+
+counts:
+  google_compute_backend_service: 1
+  google_compute_global_forwarding_rule: 2
+  google_compute_health_check: 1
+  google_compute_network_endpoint: 1
+  google_compute_network_endpoint_group: 1
+  google_compute_target_tcp_proxy: 1
+  modules: 0
+  resources: 7
+
+outputs:
+  addresses: __missing__
+  backend_service: __missing__
+  backend_service_id: __missing__
+  backend_service_self_link: __missing__
+  forwarding_rules: __missing__
+  group_self_links: {}
+  groups: {}
+  health_check: __missing__
+  health_check_id: __missing__
+  health_check_self_link: __missing__
+  ids: __missing__
+  neg_ids: __missing__
+  psc_neg_ids: {}
+  target_proxy: __missing__
+  target_proxy_id: __missing__

tests/modules/net_lb_proxy_int_cross_region/health-checks-tcp.tfvars

@@ -0,0 +1,10 @@
+health_check_config = {
+  tcp = {
+    port               = 5123
+    port_name          = "tcp_port_name"
+    port_specification = "USE_FIXED_PORT"
+    proxy_header       = "PROXY_V1"
+    request            = "tcp_request"
+    response           = "tcp_response"
+  }
+}

tests/modules/net_lb_proxy_int_cross_region/health-checks-tcp.yaml

@@ -0,0 +1,151 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_compute_backend_service.default:
+    affinity_cookie_ttl_sec: null
+    backend:
+    - balancing_mode: CONNECTION
+      capacity_scaler: 1
+      custom_metrics: []
+      description: Terraform managed.
+      group: projects/myprj/zones/europe-west1-a/instanceGroups/my-ig
+      preference: ''
+      traffic_duration: ''
+    circuit_breakers: []
+    compression_mode: null
+    connection_draining_timeout_sec: 300
+    consistent_hash: []
+    custom_metrics: []
+    custom_request_headers: null
+    custom_response_headers: null
+    deletion_policy: DELETE
+    description: Terraform managed.
+    dynamic_forwarding: []
+    edge_security_policy: null
+    enable_cdn: null
+    external_managed_migration_state: null
+    external_managed_migration_testing_percentage: null
+    ip_address_selection_policy: null
+    load_balancing_scheme: INTERNAL_MANAGED
+    locality_lb_policies: []
+    locality_lb_policy: null
+    max_stream_duration: []
+    name: proxy-cr-test
+    network_pass_through_lb_traffic_policy: []
+    outlier_detection: []
+    params: []
+    project: my-project
+    protocol: TCP
+    security_policy: null
+    security_settings: []
+    service_lb_policy: null
+    session_affinity: NONE
+    strong_session_affinity_cookie: []
+    timeouts: null
+    tls_settings: []
+  google_compute_global_forwarding_rule.default["europe-west1"]:
+    allow_psc_global_access: null
+    deletion_policy: DELETE
+    description: Terraform managed.
+    external_managed_backend_bucket_migration_state: null
+    external_managed_backend_bucket_migration_testing_percentage: null
+    ip_protocol: TCP
+    ip_version: null
+    labels: null
+    load_balancing_scheme: INTERNAL_MANAGED
+    metadata_filters: []
+    name: proxy-cr-test-europe-west1
+    network: network
+    no_automate_dns_zone: null
+    port_range: '80'
+    project: my-project
+    source_ip_ranges: null
+    subnetwork: subnet-ew1
+    timeouts: null
+  google_compute_global_forwarding_rule.default["europe-west4"]:
+    allow_psc_global_access: null
+    deletion_policy: DELETE
+    description: Terraform managed.
+    external_managed_backend_bucket_migration_state: null
+    external_managed_backend_bucket_migration_testing_percentage: null
+    ip_protocol: TCP
+    ip_version: null
+    labels: null
+    load_balancing_scheme: INTERNAL_MANAGED
+    metadata_filters: []
+    name: proxy-cr-test-europe-west4
+    network: network
+    no_automate_dns_zone: null
+    port_range: '80'
+    project: my-project
+    source_ip_ranges: null
+    subnetwork: subnet-ew4
+    timeouts: null
+  google_compute_health_check.default[0]:
+    check_interval_sec: 5
+    deletion_policy: DELETE
+    description: Terraform managed.
+    grpc_health_check: []
+    grpc_tls_health_check: []
+    healthy_threshold: 2
+    http2_health_check: []
+    http_health_check: []
+    https_health_check: []
+    name: proxy-cr-test
+    project: my-project
+    source_regions: null
+    ssl_health_check: []
+    tcp_health_check:
+    - port: 5123
+      port_name: tcp_port_name
+      port_specification: USE_FIXED_PORT
+      proxy_header: PROXY_V1
+      request: tcp_request
+      response: tcp_response
+    timeout_sec: 5
+    timeouts: null
+    unhealthy_threshold: 2
+  google_compute_target_tcp_proxy.default:
+    deletion_policy: DELETE
+    description: Terraform managed.
+    name: proxy-cr-test
+    project: my-project
+    proxy_header: NONE
+    timeouts: null
+
+counts:
+  google_compute_backend_service: 1
+  google_compute_global_forwarding_rule: 2
+  google_compute_health_check: 1
+  google_compute_target_tcp_proxy: 1
+  modules: 0
+  resources: 5
+
+outputs:
+  addresses: __missing__
+  backend_service: __missing__
+  backend_service_id: __missing__
+  backend_service_self_link: __missing__
+  forwarding_rules: __missing__
+  group_self_links: {}
+  groups: {}
+  health_check: __missing__
+  health_check_id: __missing__
+  health_check_self_link: __missing__
+  ids: __missing__
+  neg_ids: {}
+  psc_neg_ids: {}
+  target_proxy: __missing__
+  target_proxy_id: __missing__

tests/modules/net_lb_proxy_int_cross_region/instance-groups.tfvars

@@ -0,0 +1,26 @@
+name       = "proxy-cr-ig-test"
+project_id = "my-project"
+
+vpc_config = {
+  network = "network"
+  subnetworks = {
+    europe-west1 = "subnet-ew1"
+    europe-west4 = "subnet-ew4"
+  }
+}
+
+group_configs = {
+  ig-a = {
+    zone = "europe-west1-b"
+    instances = [
+      "projects/my-project/zones/europe-west1-b/instances/vm-a"
+    ]
+  }
+}
+
+backend_service_config = {
+  backends = [{
+    group          = "ig-a"
+    balancing_mode = "UTILIZATION"
+  }]
+}

tests/modules/net_lb_proxy_int_cross_region/instance-groups.yaml

@@ -0,0 +1,161 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_compute_backend_service.default:
+    affinity_cookie_ttl_sec: null
+    backend:
+    - balancing_mode: UTILIZATION
+      capacity_scaler: 1
+      custom_metrics: []
+      description: Terraform managed.
+      preference: ''
+      traffic_duration: ''
+    circuit_breakers: []
+    compression_mode: null
+    connection_draining_timeout_sec: 300
+    consistent_hash: []
+    custom_metrics: []
+    custom_request_headers: null
+    custom_response_headers: null
+    deletion_policy: DELETE
+    description: Terraform managed.
+    dynamic_forwarding: []
+    edge_security_policy: null
+    enable_cdn: null
+    external_managed_migration_state: null
+    external_managed_migration_testing_percentage: null
+    ip_address_selection_policy: null
+    load_balancing_scheme: INTERNAL_MANAGED
+    locality_lb_policies: []
+    locality_lb_policy: null
+    max_stream_duration: []
+    name: proxy-cr-ig-test
+    network_pass_through_lb_traffic_policy: []
+    outlier_detection: []
+    params: []
+    project: my-project
+    protocol: TCP
+    security_policy: null
+    security_settings: []
+    service_lb_policy: null
+    session_affinity: NONE
+    strong_session_affinity_cookie: []
+    timeouts: null
+    tls_settings: []
+  google_compute_global_forwarding_rule.default["europe-west1"]:
+    allow_psc_global_access: null
+    deletion_policy: DELETE
+    description: Terraform managed.
+    external_managed_backend_bucket_migration_state: null
+    external_managed_backend_bucket_migration_testing_percentage: null
+    ip_protocol: TCP
+    ip_version: null
+    labels: null
+    load_balancing_scheme: INTERNAL_MANAGED
+    metadata_filters: []
+    name: proxy-cr-ig-test-europe-west1
+    network: network
+    no_automate_dns_zone: null
+    port_range: '80'
+    project: my-project
+    source_ip_ranges: null
+    subnetwork: subnet-ew1
+    timeouts: null
+  google_compute_global_forwarding_rule.default["europe-west4"]:
+    allow_psc_global_access: null
+    deletion_policy: DELETE
+    description: Terraform managed.
+    external_managed_backend_bucket_migration_state: null
+    external_managed_backend_bucket_migration_testing_percentage: null
+    ip_protocol: TCP
+    ip_version: null
+    labels: null
+    load_balancing_scheme: INTERNAL_MANAGED
+    metadata_filters: []
+    name: proxy-cr-ig-test-europe-west4
+    network: network
+    no_automate_dns_zone: null
+    port_range: '80'
+    project: my-project
+    source_ip_ranges: null
+    subnetwork: subnet-ew4
+    timeouts: null
+  google_compute_health_check.default[0]:
+    check_interval_sec: 5
+    deletion_policy: DELETE
+    description: Terraform managed.
+    grpc_health_check: []
+    grpc_tls_health_check: []
+    healthy_threshold: 2
+    http2_health_check: []
+    http_health_check: []
+    https_health_check: []
+    name: proxy-cr-ig-test
+    project: my-project
+    source_regions: null
+    ssl_health_check: []
+    tcp_health_check:
+    - port: null
+      port_name: null
+      port_specification: USE_SERVING_PORT
+      proxy_header: NONE
+      request: null
+      response: null
+    timeout_sec: 5
+    timeouts: null
+    unhealthy_threshold: 2
+  google_compute_instance_group.default["ig-a"]:
+    deletion_policy: DELETE
+    description: Terraform managed.
+    instances:
+    - projects/my-project/zones/europe-west1-b/instances/vm-a
+    name: proxy-cr-ig-test-ig-a
+    named_port: []
+    project: my-project
+    timeouts: null
+    zone: europe-west1-b
+  google_compute_target_tcp_proxy.default:
+    deletion_policy: DELETE
+    description: Terraform managed.
+    name: proxy-cr-ig-test
+    project: my-project
+    proxy_header: NONE
+    timeouts: null
+
+counts:
+  google_compute_backend_service: 1
+  google_compute_global_forwarding_rule: 2
+  google_compute_health_check: 1
+  google_compute_instance_group: 1
+  google_compute_target_tcp_proxy: 1
+  modules: 0
+  resources: 6
+
+outputs:
+  addresses: __missing__
+  backend_service: __missing__
+  backend_service_id: __missing__
+  backend_service_self_link: __missing__
+  forwarding_rules: __missing__
+  group_self_links: __missing__
+  groups: __missing__
+  health_check: __missing__
+  health_check_id: __missing__
+  health_check_self_link: __missing__
+  ids: __missing__
+  neg_ids: {}
+  psc_neg_ids: {}
+  target_proxy: __missing__
+  target_proxy_id: __missing__

tests/modules/net_lb_proxy_int_cross_region/tftest.yaml

@@ -0,0 +1,21 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module: modules/net-lb-proxy-int-cross-region
+common_tfvars:
+- common.tfvars
+tests:
+  health-checks-tcp:
+  context:
+  instance-groups: