From 50ba752d3058a9d4be9bf579bc4f38fe75aed0a5 Mon Sep 17 00:00:00 2001
From: Brian Manifold <bmanifold@users.noreply.github.com>
Date: Sat, 9 Nov 2024 10:09:16 -0500
Subject: [PATCH] fix(infra): Update gcp cloud armor rules (#7293)

The expression for one of the rules was not able to be applied due to
invalid characters (`\n`) and even once the invalid characters were
removed there is a limit of 5 subexpressions, but the previous
expression contained 10.

Along with the expression change, the `deny(451)` is not allowed. The
only `deny` codes allowed are `403`, `404`, `502`
---
 .../modules/google-cloud/apps/elixir/network.tf   | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/terraform/modules/google-cloud/apps/elixir/network.tf b/terraform/modules/google-cloud/apps/elixir/network.tf
index 8f2b24453..f38ad5521 100644
--- a/terraform/modules/google-cloud/apps/elixir/network.tf
+++ b/terraform/modules/google-cloud/apps/elixir/network.tf
@@ -68,23 +68,12 @@ resource "google_compute_security_policy" "default" {
   rule {
     description = "block sanctioned countries"
 
-    action   = "deny(451)"
+    action   = "deny(403)"
     priority = "101"
 
     match {
       expr {
-        expression = <<EOT
-          request.path.matches(\"/sign_up\") && (\
-          origin.region_code == 'RU' || \
-          origin.region_code == 'BY' || \
-          origin.region_code == 'KP' || \
-          origin.region_code == 'IR' || \
-          origin.region_code == 'SY' || \
-          origin.region_code == 'CU' || \
-          origin.region_code == 'VE' || \
-          origin.region_code == 'XC' || \
-          origin.region_code == 'XD')"
-        EOT
+        expression = "request.path.matches('/sign_up') && !origin.region_code.matches('^RU|BY|KP|IR|SY|CU|VE|XC|XD$')"
       }
     }
   }