gcp - add security policy resource, actions, docs #4537
Conversation
|
|
||
|
|
||
| @LoadBalancingSecurityPolicy.action_registry.register('add') | ||
| class LoadBalancingSecurityPolicyAddRule(MethodAction): |
There was a problem hiding this comment.
what happens if this is used to add a duplicate rule
There was a problem hiding this comment.
It's not allowed to have more than one rule with the same priority so this will result into a http error (400). Seems that the details are swallowed by Custodian and there are no useful information in the traceback for a user. I will add the check and corresponding exception with details in case there are duplicates.
p.s. this still won't help in case duplicate is added (e.g. via the console) while custodian executes the policy
There was a problem hiding this comment.
how is a user supposed to insert a priority value here apriori across a fleet of load balancer policies and projects that is correct and unique.. ie how is anyone supposed to use this at scale without getting runtime exceptions.
There was a problem hiding this comment.
@kapilt good point. I will delete the add rule action. Wrt resource. I would keep it because there is another useful action - remove rule. Use case for that: delete those allow-rules which include ip ranges being added to the blacklist. This action wasn't implemented yet because it requires a little bit more efforts. It will be added in the future I hope.
Use case: Custodian can control a set of security policies and modify as needed (e.g. add new rule etc.)