New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gcp - add security policy resource, actions, docs #4537
base: main
Are you sure you want to change the base?
gcp - add security policy resource, actions, docs #4537
Conversation
|
||
|
||
@LoadBalancingSecurityPolicy.action_registry.register('add') | ||
class LoadBalancingSecurityPolicyAddRule(MethodAction): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what happens if this is used to add a duplicate rule
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not allowed to have more than one rule with the same priority so this will result into a http error (400). Seems that the details are swallowed by Custodian and there are no useful information in the traceback for a user. I will add the check and corresponding exception with details in case there are duplicates.
p.s. this still won't help in case duplicate is added (e.g. via the console) while custodian executes the policy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kapilt anything else here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kapilt done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how is a user supposed to insert a priority value here apriori across a fleet of load balancer policies and projects that is correct and unique.. ie how is anyone supposed to use this at scale without getting runtime exceptions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kapilt good point. I will delete the add rule action. Wrt resource. I would keep it because there is another useful action - remove rule. Use case for that: delete those allow-rules which include ip ranges being added to the blacklist. This action wasn't implemented yet because it requires a little bit more efforts. It will be added in the future I hope.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kapilt done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @kapilt Something else here?
Use case: Custodian can control a set of security policies and modify as needed (e.g. add new rule etc.)