Add PSC environment

Author: logachev

java-bigquery/google-cloud-bigquery-jdbc/tools/environments/README.md

@@ -0,0 +1,66 @@
+# Test Environments
+
+This directory contains Terraform configurations to provision environments for testing the BigQuery JDBC driver.
+
+## Available Environments
+
+### Private Service Connect (PSC)
+
+Located in `private_service_connect/`.
+
+This environment provisions:
+- A custom VPC and subnet.
+- Cloud NAT (allowing outbound internet access without public IPs).
+- A Private Service Connect (PSC) endpoint for Google APIs (`all-apis`).
+- A Compute Engine VM instance with no public IP, accessible via IAP (Identity-Aware Proxy).
+- Firewall rules to allow IAP SSH access.
+
+This setup is useful for testing connectivity to BigQuery via PSC and validating that traffic goes through the private endpoint.
+
+## Deployment
+
+To deploy an environment, you need Terraform installed and configured with Google Cloud credentials.
+
+### Steps
+
+1.  Navigate to the specific environment directory:
+    ```bash
+    cd tools/environments/private_service_connect
+    ```
+
+2.  Initialize Terraform:
+    ```bash
+    terraform init
+    ```
+
+3.  Create a `terraform.tfvars` file or pass variables on the command line.
+    Required variables:
+    - `project_id`: The GCP project ID where resources will be created.
+
+    Optional variables (see `variables.tf` for defaults):
+    - `region`: Defaults to `us-central1`.
+    - `zone`: Defaults to `us-central1-a`.
+    - `env_name`: Defaults to `demo`.
+
+    Example `terraform.tfvars`:
+    ```hcl
+    project_id = "your-gcp-project-id"
+    region     = "us-central1"
+    zone       = "us-central1-a"
+    env_name   = "jdbc-test"
+    ```
+
+4.  Plan the deployment:
+    ```bash
+    terraform plan
+    ```
+
+5.  Apply the configuration:
+    ```bash
+    terraform apply
+    ```
+
+6.  When done, you can destroy the environment:
+    ```bash
+    terraform destroy
+    ```

java-bigquery/google-cloud-bigquery-jdbc/tools/environments/private_service_connect/main.tf

@@ -0,0 +1,85 @@
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
+
+# 1. VPC Network
+resource "google_compute_network" "vpc" {
+  name                    = "${var.env_name}-vpc"
+  auto_create_subnetworks = false
+}
+
+# 2. Subnet
+resource "google_compute_subnetwork" "subnet" {
+  name          = "${var.env_name}-subnet"
+  ip_cidr_range = "10.0.0.0/24"
+  region        = var.region
+  network       = google_compute_network.vpc.id
+}
+
+# 3. Cloud NAT for Internet Access (No Public IP for VM)
+resource "google_compute_router" "router" {
+  name    = "${var.env_name}-router"
+  region  = var.region
+  network = google_compute_network.vpc.id
+}
+
+resource "google_compute_router_nat" "nat" {
+  name                               = "${var.env_name}-nat"
+  router                             = google_compute_router.router.name
+  region                             = var.region
+  nat_ip_allocate_option             = "AUTO_ONLY"
+  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+}
+
+# 4. Private Service Connect for Google APIs
+resource "google_compute_global_address" "psc_ip" {
+  name         = "${var.env_name}-psc-ip"
+  address_type = "INTERNAL"
+  purpose      = "PRIVATE_SERVICE_CONNECT"
+  network      = google_compute_network.vpc.id
+  address      = "10.0.1.2" # Using a distinct IP outside the subnet range or just let it auto-allocate if possible, but purpose requires specific handling. Actually, global address for PSC can be any internal IP. Let's auto-allocate or use a specific one.
+}
+
+resource "google_compute_global_forwarding_rule" "psc_rule" {
+  name                  = "${var.env_name}" # This name generates the p.googleapis.com endpoint
+  target                = "all-apis"
+  network               = google_compute_network.vpc.id
+  ip_address            = google_compute_global_address.psc_ip.id
+  load_balancing_scheme = ""
+}
+
+# 5. Firewall for IAP SSH
+resource "google_compute_firewall" "iap_ssh" {
+  name    = "${var.env_name}-allow-iap-ssh"
+  network = google_compute_network.vpc.id
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  source_ranges = ["172.253.30.0/23"] # IAP range
+}
+
+# 6. VM Instance
+resource "google_compute_instance" "vm" {
+  name         = "${var.env_name}-vm"
+  machine_type = "e2-medium"
+  zone         = var.zone
+
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-12"
+    }
+  }
+
+  network_interface {
+    subnetwork = google_compute_subnetwork.subnet.id
+    # No access_config block ensures no public IP
+  }
+
+  metadata = {
+    enable-oslogin = "TRUE"
+  }
+}

java-bigquery/google-cloud-bigquery-jdbc/tools/environments/private_service_connect/outputs.tf

@@ -0,0 +1,13 @@
+output "psc_endpoint" {
+  value       = "https://bigquery-${var.env_name}.p.googleapis.com"
+  description = "The expected Private Service Connect endpoint for BigQuery."
+}
+
+output "psc_ip_address" {
+  value       = google_compute_global_address.psc_ip.address
+  description = "The internal IP address reserved for Private Service Connect."
+}
+
+output "vm_connect" {
+  value = "ssh kirl_google_com@nic0.${google_compute_instance.vm.name}.${google_compute_instance.vm.zone}.c.${var.project_id}.internal.gcpnode.com"
+}

java-bigquery/google-cloud-bigquery-jdbc/tools/environments/private_service_connect/variables.tf

@@ -0,0 +1,22 @@
+variable "project_id" {
+  type        = string
+  description = "The GCP project ID where resources will be created."
+}
+
+variable "region" {
+  type        = string
+  description = "The region where resources will be created."
+  default     = "us-central1"
+}
+
+variable "zone" {
+  type        = string
+  description = "The zone where the VM will be created."
+  default     = "us-central1-a"
+}
+
+variable "env_name" {
+  type        = string
+  description = "Identifier used as prefix/suffix for resource names to easily identify them."
+  default     = "demo"
+}