From a8d7d401d679b40987f4d95104a14ba55e65165c Mon Sep 17 00:00:00 2001
From: jacklever-hub24 <jack.lever@hub24.com.au>
Date: Tue, 18 Feb 2025 17:25:45 +1100
Subject: [PATCH 1/2] Add support for locality policies to net-lb-app-ext
 module (#2898)

* Fix the missing locality_lb_policy value and add validation for it

* Added variables, dynamic blocks and validation to support locality_lb_policy/ies

* Formatting

* tfdoc generation

* Fix net-lb-app-ext readme

* Fixes for Ludo, coalesce and brevity

* fmt

* Revert null check due to failing tests

---------

Co-authored-by: Jack Lever <jack@thelevers.com.au>
Co-authored-by: Ludo <ludomagno@google.com>
---
 modules/net-lb-app-ext/README.md              |  2 +-
 modules/net-lb-app-ext/backend-service.tf     | 20 +++++++++++
 .../variables-backend-service.tf              | 34 +++++++++++++++++++
 .../net_lb_app_ext/test-plan-llp.tfvars       | 15 ++++++++
 .../modules/net_lb_app_ext/test-plan-llp.yaml | 34 +++++++++++++++++++
 tests/modules/net_lb_app_ext/tftest.yaml      |  1 +
 6 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 tests/modules/net_lb_app_ext/test-plan-llp.tfvars
 create mode 100644 tests/modules/net_lb_app_ext/test-plan-llp.yaml

diff --git a/modules/net-lb-app-ext/README.md b/modules/net-lb-app-ext/README.md
index c4158bfde..541fcc3a6 100644
--- a/modules/net-lb-app-ext/README.md
+++ b/modules/net-lb-app-ext/README.md
@@ -1059,7 +1059,7 @@ After provisioning this change, and verifying that the new certificate is provis
 | [name](variables.tf#L112) | Load balancer name. | <code>string</code> | ✓ |  |
 | [project_id](variables.tf#L208) | Project id. | <code>string</code> | ✓ |  |
 | [backend_buckets_config](variables.tf#L17) | Backend buckets configuration. | <code title="map&#40;object&#40;&#123;&#10;  bucket_name             &#61; string&#10;  compression_mode        &#61; optional&#40;string&#41;&#10;  custom_response_headers &#61; optional&#40;list&#40;string&#41;&#41;&#10;  description             &#61; optional&#40;string&#41;&#10;  edge_security_policy    &#61; optional&#40;string&#41;&#10;  enable_cdn              &#61; optional&#40;bool&#41;&#10;  cdn_policy &#61; optional&#40;object&#40;&#123;&#10;    bypass_cache_on_request_headers &#61; optional&#40;list&#40;string&#41;&#41;&#10;    cache_mode                      &#61; optional&#40;string&#41;&#10;    client_ttl                      &#61; optional&#40;number&#41;&#10;    default_ttl                     &#61; optional&#40;number&#41;&#10;    max_ttl                         &#61; optional&#40;number&#41;&#10;    negative_caching                &#61; optional&#40;bool&#41;&#10;    request_coalescing              &#61; optional&#40;bool&#41;&#10;    serve_while_stale               &#61; optional&#40;number&#41;&#10;    signed_url_cache_max_age_sec    &#61; optional&#40;number&#41;&#10;    cache_key_policy &#61; optional&#40;object&#40;&#123;&#10;      include_http_headers   &#61; optional&#40;list&#40;string&#41;&#41;&#10;      query_string_whitelist &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    negative_caching_policy &#61; optional&#40;object&#40;&#123;&#10;      code &#61; optional&#40;number&#41;&#10;      ttl  &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | <code title="map&#40;object&#40;&#123;&#10;  affinity_cookie_ttl_sec         &#61; optional&#40;number&#41;&#10;  compression_mode                &#61; optional&#40;string&#41;&#10;  connection_draining_timeout_sec &#61; optional&#40;number&#41;&#10;  custom_request_headers          &#61; optional&#40;list&#40;string&#41;&#41;&#10;  custom_response_headers         &#61; optional&#40;list&#40;string&#41;&#41;&#10;  enable_cdn                      &#61; optional&#40;bool&#41;&#10;  health_checks                   &#61; optional&#40;list&#40;string&#41;, &#91;&#34;default&#34;&#93;&#41;&#10;  log_sample_rate                 &#61; optional&#40;number&#41;&#10;  port_name                       &#61; optional&#40;string&#41;&#10;  project_id                      &#61; optional&#40;string&#41;&#10;  protocol                        &#61; optional&#40;string&#41;&#10;  security_policy                 &#61; optional&#40;string&#41;&#10;  session_affinity                &#61; optional&#40;string&#41;&#10;  timeout_sec                     &#61; optional&#40;number&#41;&#10;  backends &#61; list&#40;object&#40;&#123;&#10;    backend         &#61; string&#10;    balancing_mode  &#61; optional&#40;string, &#34;UTILIZATION&#34;&#41;&#10;    capacity_scaler &#61; optional&#40;number, 1&#41;&#10;    description     &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;    failover        &#61; optional&#40;bool, false&#41;&#10;    max_connections &#61; optional&#40;object&#40;&#123;&#10;      per_endpoint &#61; optional&#40;number&#41;&#10;      per_group    &#61; optional&#40;number&#41;&#10;      per_instance &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    max_rate &#61; optional&#40;object&#40;&#123;&#10;      per_endpoint &#61; optional&#40;number&#41;&#10;      per_group    &#61; optional&#40;number&#41;&#10;      per_instance &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    max_utilization &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;  cdn_policy &#61; optional&#40;object&#40;&#123;&#10;    cache_mode                   &#61; optional&#40;string&#41;&#10;    client_ttl                   &#61; optional&#40;number&#41;&#10;    default_ttl                  &#61; optional&#40;number&#41;&#10;    max_ttl                      &#61; optional&#40;number&#41;&#10;    negative_caching             &#61; optional&#40;bool&#41;&#10;    serve_while_stale            &#61; optional&#40;number&#41;&#10;    signed_url_cache_max_age_sec &#61; optional&#40;number&#41;&#10;    cache_key_policy &#61; optional&#40;object&#40;&#123;&#10;      include_host           &#61; optional&#40;bool&#41;&#10;      include_named_cookies  &#61; optional&#40;list&#40;string&#41;&#41;&#10;      include_protocol       &#61; optional&#40;bool&#41;&#10;      include_query_string   &#61; optional&#40;bool&#41;&#10;      query_string_blacklist &#61; optional&#40;list&#40;string&#41;&#41;&#10;      query_string_whitelist &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    negative_caching_policy &#61; optional&#40;object&#40;&#123;&#10;      code &#61; optional&#40;number&#41;&#10;      ttl  &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  circuit_breakers &#61; optional&#40;object&#40;&#123;&#10;    max_connections             &#61; optional&#40;number&#41;&#10;    max_pending_requests        &#61; optional&#40;number&#41;&#10;    max_requests                &#61; optional&#40;number&#41;&#10;    max_requests_per_connection &#61; optional&#40;number&#41;&#10;    max_retries                 &#61; optional&#40;number&#41;&#10;    connect_timeout &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  consistent_hash &#61; optional&#40;object&#40;&#123;&#10;    http_header_name  &#61; optional&#40;string&#41;&#10;    minimum_ring_size &#61; optional&#40;number&#41;&#10;    http_cookie &#61; optional&#40;object&#40;&#123;&#10;      name &#61; optional&#40;string&#41;&#10;      path &#61; optional&#40;string&#41;&#10;      ttl &#61; optional&#40;object&#40;&#123;&#10;        seconds &#61; number&#10;        nanos   &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  iap_config &#61; optional&#40;object&#40;&#123;&#10;    oauth2_client_id            &#61; string&#10;    oauth2_client_secret        &#61; string&#10;    oauth2_client_secret_sha256 &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  security_settings &#61; optional&#40;object&#40;&#123;&#10;    client_tls_policy &#61; optional&#40;string&#41;&#10;    subject_alt_names &#61; optional&#40;list&#40;string&#41;&#41;&#10;    aws_v4_authentication &#61; optional&#40;object&#40;&#123;&#10;      access_key_id      &#61; optional&#40;string&#41;&#10;      access_key         &#61; optional&#40;string&#41;&#10;      access_key_version &#61; optional&#40;string&#41;&#10;      origin_region      &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;&#125;&#41;&#41; &#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41; &#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | <code title="map&#40;object&#40;&#123;&#10;  affinity_cookie_ttl_sec         &#61; optional&#40;number&#41;&#10;  compression_mode                &#61; optional&#40;string&#41;&#10;  connection_draining_timeout_sec &#61; optional&#40;number&#41;&#10;  custom_request_headers          &#61; optional&#40;list&#40;string&#41;&#41;&#10;  custom_response_headers         &#61; optional&#40;list&#40;string&#41;&#41;&#10;  enable_cdn                      &#61; optional&#40;bool&#41;&#10;  health_checks                   &#61; optional&#40;list&#40;string&#41;, &#91;&#34;default&#34;&#93;&#41;&#10;  log_sample_rate                 &#61; optional&#40;number&#41;&#10;  locality_lb_policy              &#61; optional&#40;string&#41;&#10;  port_name                       &#61; optional&#40;string&#41;&#10;  project_id                      &#61; optional&#40;string&#41;&#10;  protocol                        &#61; optional&#40;string&#41;&#10;  security_policy                 &#61; optional&#40;string&#41;&#10;  session_affinity                &#61; optional&#40;string&#41;&#10;  timeout_sec                     &#61; optional&#40;number&#41;&#10;  backends &#61; list&#40;object&#40;&#123;&#10;    backend         &#61; string&#10;    balancing_mode  &#61; optional&#40;string, &#34;UTILIZATION&#34;&#41;&#10;    capacity_scaler &#61; optional&#40;number, 1&#41;&#10;    description     &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;    failover        &#61; optional&#40;bool, false&#41;&#10;    max_connections &#61; optional&#40;object&#40;&#123;&#10;      per_endpoint &#61; optional&#40;number&#41;&#10;      per_group    &#61; optional&#40;number&#41;&#10;      per_instance &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    max_rate &#61; optional&#40;object&#40;&#123;&#10;      per_endpoint &#61; optional&#40;number&#41;&#10;      per_group    &#61; optional&#40;number&#41;&#10;      per_instance &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    max_utilization &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;  cdn_policy &#61; optional&#40;object&#40;&#123;&#10;    cache_mode                   &#61; optional&#40;string&#41;&#10;    client_ttl                   &#61; optional&#40;number&#41;&#10;    default_ttl                  &#61; optional&#40;number&#41;&#10;    max_ttl                      &#61; optional&#40;number&#41;&#10;    negative_caching             &#61; optional&#40;bool&#41;&#10;    serve_while_stale            &#61; optional&#40;number&#41;&#10;    signed_url_cache_max_age_sec &#61; optional&#40;number&#41;&#10;    cache_key_policy &#61; optional&#40;object&#40;&#123;&#10;      include_host           &#61; optional&#40;bool&#41;&#10;      include_named_cookies  &#61; optional&#40;list&#40;string&#41;&#41;&#10;      include_protocol       &#61; optional&#40;bool&#41;&#10;      include_query_string   &#61; optional&#40;bool&#41;&#10;      query_string_blacklist &#61; optional&#40;list&#40;string&#41;&#41;&#10;      query_string_whitelist &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    negative_caching_policy &#61; optional&#40;object&#40;&#123;&#10;      code &#61; optional&#40;number&#41;&#10;      ttl  &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  circuit_breakers &#61; optional&#40;object&#40;&#123;&#10;    max_connections             &#61; optional&#40;number&#41;&#10;    max_pending_requests        &#61; optional&#40;number&#41;&#10;    max_requests                &#61; optional&#40;number&#41;&#10;    max_requests_per_connection &#61; optional&#40;number&#41;&#10;    max_retries                 &#61; optional&#40;number&#41;&#10;    connect_timeout &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  consistent_hash &#61; optional&#40;object&#40;&#123;&#10;    http_header_name  &#61; optional&#40;string&#41;&#10;    minimum_ring_size &#61; optional&#40;number&#41;&#10;    http_cookie &#61; optional&#40;object&#40;&#123;&#10;      name &#61; optional&#40;string&#41;&#10;      path &#61; optional&#40;string&#41;&#10;      ttl &#61; optional&#40;object&#40;&#123;&#10;        seconds &#61; number&#10;        nanos   &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  iap_config &#61; optional&#40;object&#40;&#123;&#10;    oauth2_client_id            &#61; string&#10;    oauth2_client_secret        &#61; string&#10;    oauth2_client_secret_sha256 &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  locality_lb_policies &#61; optional&#40;list&#40;object&#40;&#123;&#10;    policy &#61; optional&#40;object&#40;&#123;&#10;      name &#61; string&#10;    &#125;&#41;&#41;&#10;    custom_policy &#61; optional&#40;object&#40;&#123;&#10;      name &#61; string&#10;      data &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  security_settings &#61; optional&#40;object&#40;&#123;&#10;    client_tls_policy &#61; optional&#40;string&#41;&#10;    subject_alt_names &#61; optional&#40;list&#40;string&#41;&#41;&#10;    aws_v4_authentication &#61; optional&#40;object&#40;&#123;&#10;      access_key_id      &#61; optional&#40;string&#41;&#10;      access_key         &#61; optional&#40;string&#41;&#10;      access_key_version &#61; optional&#40;string&#41;&#10;      origin_region      &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;&#125;&#41;&#41; &#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41; &#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [description](variables.tf#L50) | Optional description used for resources. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
 | [forwarding_rules_config](variables.tf#L56) | The optional forwarding rules configuration. | <code title="map&#40;object&#40;&#123;&#10;  address     &#61; optional&#40;string&#41;&#10;  description &#61; optional&#40;string&#41;&#10;  ipv6        &#61; optional&#40;bool, false&#41;&#10;  name        &#61; optional&#40;string&#41;&#10;  ports       &#61; optional&#40;list&#40;number&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  &#34;&#34; &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
 | [group_configs](variables.tf#L81) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | <code title="map&#40;object&#40;&#123;&#10;  zone        &#61; string&#10;  instances   &#61; optional&#40;list&#40;string&#41;&#41;&#10;  named_ports &#61; optional&#40;map&#40;number&#41;, &#123;&#125;&#41;&#10;  project_id  &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
diff --git a/modules/net-lb-app-ext/backend-service.tf b/modules/net-lb-app-ext/backend-service.tf
index 87562dc01..70a3dab23 100644
--- a/modules/net-lb-app-ext/backend-service.tf
+++ b/modules/net-lb-app-ext/backend-service.tf
@@ -60,6 +60,7 @@ resource "google_compute_backend_service" "default" {
   health_checks = length(each.value.health_checks) == 0 ? null : [
     for k in each.value.health_checks : lookup(local.hc_ids, k, k)
   ]
+  locality_lb_policy    = (each.value.locality_lb_policies == null ? each.value.locality_lb_policy : null)
   load_balancing_scheme = var.use_classic_version ? "EXTERNAL" : "EXTERNAL_MANAGED"
   port_name = (
     each.value.port_name == null
@@ -214,6 +215,25 @@ resource "google_compute_backend_service" "default" {
     }
   }
 
+  dynamic "locality_lb_policies" {
+    for_each = (each.value.locality_lb_policies == null ? [] : each.value.locality_lb_policies)
+    content {
+      dynamic "policy" {
+        for_each = (locality_lb_policies.value.policy != null ? locality_lb_policies.value.policy : {})
+        content {
+          name = policy.value
+        }
+      }
+      dynamic "custom_policy" {
+        for_each = (locality_lb_policies.value.custom_policy != null ? locality_lb_policies.value.custom_policy : {})
+        content {
+          name = custom_policy.value
+          data = custom_policy.value.data
+        }
+      }
+    }
+  }
+
   dynamic "outlier_detection" {
     for_each = (
       each.value.outlier_detection == null ? [] : [each.value.outlier_detection]
diff --git a/modules/net-lb-app-ext/variables-backend-service.tf b/modules/net-lb-app-ext/variables-backend-service.tf
index 9b24b0c84..88317c57f 100644
--- a/modules/net-lb-app-ext/variables-backend-service.tf
+++ b/modules/net-lb-app-ext/variables-backend-service.tf
@@ -27,6 +27,7 @@ variable "backend_service_configs" {
     enable_cdn                      = optional(bool)
     health_checks                   = optional(list(string), ["default"])
     log_sample_rate                 = optional(number)
+    locality_lb_policy              = optional(string)
     port_name                       = optional(string)
     project_id                      = optional(string)
     protocol                        = optional(string)
@@ -101,6 +102,15 @@ variable "backend_service_configs" {
       oauth2_client_secret        = string
       oauth2_client_secret_sha256 = optional(string)
     }))
+    locality_lb_policies = optional(list(object({
+      policy = optional(object({
+        name = string
+      }))
+      custom_policy = optional(object({
+        name = string
+        data = optional(string)
+      }))
+    })))
     outlier_detection = optional(object({
       consecutive_errors                    = optional(number)
       consecutive_gateway_failure           = optional(number)
@@ -153,4 +163,28 @@ variable "backend_service_configs" {
     ]))
     error_message = "When specified, balancing mode needs to be 'RATE' or 'UTILIZATION'."
   }
+  validation {
+    condition = alltrue([
+      for backend_service in values(var.backend_service_configs) :
+      (backend_service.locality_lb_policy == null ? true :
+        contains(
+          [
+            "ROUND_ROBIN", "LEAST_REQUEST", "RING_HASH", "RANDOM",
+            "ORIGINAL_DESTINATION", "MAGLEV"
+          ],
+          backend_service.locality_lb_policy
+      ))
+    ])
+    error_message = "When specified, locality lb policy must be one of : 'ROUND_ROBIN', 'LEAST_REQUEST', 'RING_HASH', 'RANDOM', 'ORIGINAL_DESTINATION', 'MAGLEV', 'WEIGHTED_MAGLEV'."
+  }
+  validation {
+    condition = alltrue(flatten([
+      for backend_service in values(var.backend_service_configs) : [
+        for llp in coalesce(backend_service.locality_lb_policies, []) : (
+          ((llp.policy != null && llp.custom_policy == null) || (llp.policy == null && llp.custom_policy != null))
+        )
+      ]
+    ]))
+    error_message = "When specified, all locality lb polcies must have EITHER policy or custom_policy filled, not both."
+  }
 }
diff --git a/tests/modules/net_lb_app_ext/test-plan-llp.tfvars b/tests/modules/net_lb_app_ext/test-plan-llp.tfvars
new file mode 100644
index 000000000..82eb94c57
--- /dev/null
+++ b/tests/modules/net_lb_app_ext/test-plan-llp.tfvars
@@ -0,0 +1,15 @@
+name       = "glb-test-0"
+project_id = "my-project"
+
+backend_service_configs = {
+  default = {
+    backends = [
+      { backend = "ig-b" },
+    ]
+    locality_lb_policies = [{
+      policy = {
+        name = "MAGLEV"
+      }
+    }]
+  }
+}
\ No newline at end of file
diff --git a/tests/modules/net_lb_app_ext/test-plan-llp.yaml b/tests/modules/net_lb_app_ext/test-plan-llp.yaml
new file mode 100644
index 000000000..c565db59c
--- /dev/null
+++ b/tests/modules/net_lb_app_ext/test-plan-llp.yaml
@@ -0,0 +1,34 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#counts:
+#  google_compute_backend_bucket: 1
+#  google_compute_backend_service: 5
+#  google_compute_global_forwarding_rule: 1
+#  google_compute_global_network_endpoint: 1
+#  google_compute_global_network_endpoint_group: 1
+#  google_compute_health_check: 1
+#  google_compute_instance_group: 1
+#  google_compute_network_endpoint: 2
+#  google_compute_network_endpoint_group: 2
+#  google_compute_region_network_endpoint_group: 1
+#  google_compute_target_http_proxy: 1
+#  google_compute_url_map: 1
+#outputs:
+#  address: __missing__
+#  backend_service_ids: __missing__
+#  forwarding_rules: __missing__
+#  group_ids: __missing__
+#  health_check_ids: __missing__
+#  neg_ids: __missing__
diff --git a/tests/modules/net_lb_app_ext/tftest.yaml b/tests/modules/net_lb_app_ext/tftest.yaml
index 36539362e..473cf227c 100644
--- a/tests/modules/net_lb_app_ext/tftest.yaml
+++ b/tests/modules/net_lb_app_ext/tftest.yaml
@@ -15,3 +15,4 @@
 module: modules/net-lb-app-ext
 tests:
   test-plan:
+  test-plan-llp:

From aee6d1e27aaecd73b880e50417e693142f0b06c5 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Tue, 18 Feb 2025 08:05:28 +0100
Subject: [PATCH 2/2] add chain output (#2901)

---
 modules/certificate-authority-service/README.md  |  9 +++++----
 modules/certificate-authority-service/outputs.tf | 16 ++++++++++++----
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/modules/certificate-authority-service/README.md b/modules/certificate-authority-service/README.md
index 6f360ac2d..b99c87711 100644
--- a/modules/certificate-authority-service/README.md
+++ b/modules/certificate-authority-service/README.md
@@ -127,8 +127,9 @@ module "cas" {
 
 | name | description | sensitive |
 |---|---|:---:|
-| [ca_ids](outputs.tf#L17) | The CA ids. |  |
-| [ca_pool](outputs.tf#L25) | The CA pool. |  |
-| [ca_pool_id](outputs.tf#L30) | The CA pool id. |  |
-| [cas](outputs.tf#L35) | The CAs. |  |
+| [ca_chains](outputs.tf#L17) | The CA chains in PEM format. |  |
+| [ca_ids](outputs.tf#L25) | The CA ids. |  |
+| [ca_pool](outputs.tf#L33) | The CA pool. |  |
+| [ca_pool_id](outputs.tf#L38) | The CA pool id. |  |
+| [cas](outputs.tf#L43) | The CAs. |  |
 <!-- END TFDOC -->
diff --git a/modules/certificate-authority-service/outputs.tf b/modules/certificate-authority-service/outputs.tf
index c1bde85ef..56535c8c5 100644
--- a/modules/certificate-authority-service/outputs.tf
+++ b/modules/certificate-authority-service/outputs.tf
@@ -14,11 +14,19 @@
  * limitations under the License.
  */
 
+output "ca_chains" {
+  description = "The CA chains in PEM format."
+  value = {
+    for k, v in google_privateca_certificate_authority.default :
+    k => join("\n", v.pem_ca_certificates)
+  }
+}
+
 output "ca_ids" {
   description = "The CA ids."
   value = {
-    for k, v in google_privateca_certificate_authority.default
-    : k => v.id
+    for k, v in google_privateca_certificate_authority.default :
+    k => v.id
   }
 }
 
@@ -35,7 +43,7 @@ output "ca_pool_id" {
 output "cas" {
   description = "The CAs."
   value = {
-    for k, v in google_privateca_certificate_authority.default
-    : k => v
+    for k, v in google_privateca_certificate_authority.default :
+    k => v
   }
 }