Google Cloud Armor: Cannot get the match expression to work for "in" operator and list ".exists"
'in' operation
I have a list of origin asns that I would like to block access using CloudArmor. I am using the match expression and trying something very simple like this:
origin.asn in [12, 13]
I just cannot understand what the syntax is for in. I have reread this cel-spec language definition countless times and I can't figure out.
https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions
The doc claims:
Set membership test of a json number in a list of integers:
json.number in [1, 2, 3]
int(json.number) in [1, 2, 3]
So I wrote the following and it still gives me the syntax error. See screenshot:
I have pretty much gone through all the examples from google docs too, and they are very basic for me, and do not help. https://cloud.google.com/armor/docs/rules-language-reference#expression-examples
list ".exists" macro
The lang spec claims:
e.all(x, p): tests whether a predicate holds for all elements of a list e or keys of a map e. Here x is a simple identifier to be used in p which binds to the element or key. The all() macro combines per-element predicate results with the "and" (&&) operator, so if any predicate evaluates to false, the macro evaluates to false, ignoring any errors from other predicates.
e.exists(x, p): like the all() macro, but combines the predicate results with the "or" (||) operator.
Again, just doing a simple test with the .exists macro, I get the error. See screenshot:
I can only assume that I am missing something really basic or the lang spec isn't really supported at this current time by CA. I would be grateful if someone can point me in the right direction.
I believe this paragraph might mislead the readers. Docs.
The custom rules language is used to write the expressions in advanced match conditions for security policy rules. The Google Cloud Armor custom rules language is an extension of the Common Expression Language (CEL).
Cloud Armor match expression probably does not implement all the lang definitions from the CEL-spec, hence the error. Best to rewrite these expression in to smaller and multiple rules.
- Bash Indirect expansion doesn't seem to work in cloud build bash scripts?
- How do I list all the top-level folders in given GCS bucket?
- Trigger Google Cloud Build with Google Cloud Scheduler periodically
- Google Cloud Functions - ImportError: cannot import name 'InvalidKeyError' from 'jwt.exceptions'
- GCP - User ... does not have permission to access projects instance
- Google Cloud Compute Engine refusing connections despite firewall rule
- How to I return JSON from a Google Cloud Function
- Making Exact Copy of Server Google Cloud
- How to drop multiple tables in Big query using Wildcards TABLE_DATE_RANGE()?
- firebase, linkWithCredential to add new auth provider to an Account
- .NET Core Blazor Server cannot access to Cloud SQL in Cloud Run
- Google Compute Engine and ADC Application Default Credentials
- Is there a way to connect cloud firestore to realtime database using Cloud functions?
- Pyspark on GCP Dataproc - Partial reading of data for gzip encoded Cloud Storage files
- How to use GitHub immutable values (IDs) in Attribute Conditions?
- Cannot find the id using Firebase Firestore Database - Android kotlin
- _CHANGE_TYPE not working when streaming Google Big Query rows from Pub/Sub
- Realtime database `onValueWritten` event does not trigger in emulator
- Error 400: invalid_scope with Postman and Google OAuth2
- Firebase Firestore REST Request - Query and Filter
- `IAM_PERMISSION_DENIED` on a deployed service on GCP, but no errors on localhost
- Error 400 invalid JSON Payload Unknown name generationConfig on an AI API Curl command
- Restricting usage for an Android key for a Google API
- Google Cloud Function The request was aborted because there was no available instance
- How to properly create URL Masking for Cloud Functions to create a NEG?
- Deploying an Angular app on Google Cloud with minimal costs
- Cloud Run For Anthos With Terraform
- How to delete a key:value pair from Firebase map?
- Flagging a row in new column based on conditions on previous and current rows
- Cant access Firebase Admin SDK via Node.js on my VPS, but I can on my local machine