FEAT: add support to EXT_AUTHZ_GRPC in Google Network Service Authz Extension (#16029)

victorsantos-cit · web-flow · commit 368e40b7592b · 2026-01-07T22:22:55.000Z
diff --git a/mmv1/products/networkservices/AuthzExtension.yaml b/mmv1/products/networkservices/AuthzExtension.yaml
@@ -55,6 +55,14 @@ examples:
       backend_name: 'authz-service'
     test_env_vars:
       project: 'PROJECT_NAME'
+  - name: 'network_services_authz_extension_basic_with_auth_grpc'
+    min_version: 'beta'
+    primary_resource_id: 'default'
+    vars:
+      resource_name: 'my-authz-ext-with-grpc'
+      backend_name: 'authz-service-grpc'
+    test_env_vars:
+      project: 'PROJECT_NAME'
 parameters:
   - name: 'name'
     type: String
@@ -142,8 +150,23 @@ properties:
   - name: 'wireFormat'
     type: Enum
     description: |
-      The format of communication supported by the callout extension. Will be set to EXT_PROC_GRPC by the backend if no value is set.
+      Specifies the communication protocol used by the callout extension
+      to communicate with its backend service.
+      Supported values:
+      - WIRE_FORMAT_UNSPECIFIED:
+          No wire format is explicitly specified. The backend automatically
+          defaults this value to EXT_PROC_GRPC.
+      - EXT_PROC_GRPC:
+          Uses Envoy's External Processing (ext_proc) gRPC API over a single
+          gRPC stream. The backend service must support HTTP/2 or H2C.
+          All supported events for a client request are sent over the same
+          gRPC stream. This is the default wire format.
+      - EXT_AUTHZ_GRPC:
+          Uses Envoy's external authorization (ext_authz) gRPC API.
+          The backend service must support HTTP/2 or H2C.
+          This option is only supported for regional AuthzExtension resources.
     default_from_api: true
     enum_values:
       - 'WIRE_FORMAT_UNSPECIFIED'
       - 'EXT_PROC_GRPC'
+      - 'EXT_AUTHZ_GRPC'
diff --git a/mmv1/templates/terraform/examples/network_services_authz_extension_basic_with_auth_grpc.tf.tmpl b/mmv1/templates/terraform/examples/network_services_authz_extension_basic_with_auth_grpc.tf.tmpl
@@ -0,0 +1,26 @@
+resource "google_compute_region_backend_service" "default" {
+  provider              = google-beta
+  name                  = "{{index $.Vars "backend_name"}}"
+  project               = "{{index $.TestEnvVars "project"}}"
+  region                = "us-west1"
+
+  protocol              = "HTTP2"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  port_name             = "grpc"
+}
+
+resource "google_network_services_authz_extension" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+  name     = "{{index $.Vars "resource_name"}}"
+  project  = "{{index $.TestEnvVars "project"}}"
+  location = "us-west1"
+
+  description           = "my description"
+  load_balancing_scheme = "INTERNAL_MANAGED"
+  wire_format           = "EXT_AUTHZ_GRPC"
+  authority       = "ext11.com"
+  service         = google_compute_region_backend_service.default.self_link
+  timeout         = "0.1s"
+  fail_open       = false
+  forward_headers = ["Authorization"]
+}
