add default-allow rule

BenTheElder · BenTheElder · commit 467cdde53d62 · 2024-07-12T09:20:30.000-07:00
diff --git a/infra/gcp/terraform/modules/oci-proxy/cloud-armor.tf b/infra/gcp/terraform/modules/oci-proxy/cloud-armor.tf
@@ -73,5 +73,20 @@ resource "google_compute_security_policy" "cloud-armor" {
       }
     }
   }
+
+  # you must have a default rule with max int32 priority
+  # (IE applied last after every other rule)
+  # this just allows traffic not caught by any other rule
+  rule {
+    action   = "allow"
+    priority = "2147483647"
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+    description = "default rule"
+  }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -73,5 +73,20 @@ resource "google_compute_security_policy" "cloud-armor" {`
`73`	`73`	`}`
`74`	`74`	`}`
`75`	`75`	`}`
	`76`	`+`
	`77`	`+ # you must have a default rule with max int32 priority`
	`78`	`+ # (IE applied last after every other rule)`
	`79`	`+ # this just allows traffic not caught by any other rule`
	`80`	`+ rule {`
	`81`	`+ action = "allow"`
	`82`	`+ priority = "2147483647"`
	`83`	`+ match {`
	`84`	`+ versioned_expr = "SRC_IPS_V1"`
	`85`	`+ config {`
	`86`	`+ src_ip_ranges = ["*"]`
	`87`	`+ }`
	`88`	`+ }`
	`89`	`+ description = "default rule"`
	`90`	`+ }`
`76`	`91`	`}`
`77`	`92`