more precise match exprs [skip ci]

stephencompall-DA · stephencompall-DA · commit ce16f7c29dec · 2025-10-09T21:41:54.000Z
- see https://cloud.google.com/armor/docs/rules-language-reference Signed-off-by: Stephen Compall <stephen.compall@digitalasset.com>
diff --git a/cluster/pulumi/infra/src/cloudArmor.ts b/cluster/pulumi/infra/src/cloudArmor.ts
@@ -132,10 +132,10 @@ function addThrottleAndBanRules(
       if (throttleAcrossAllEndpointsAllIps.maxRequestsBeforeHttp429 > 0) {
         const ruleName = `throttle-all-endpoints-all-ips-${confEntryHead}`;
 
-    // Build the expression for path and hostname matching
-    const pathExpr = `request.path.matches('${endpoint.path}')`;
-    const hostExpr = `request.headers['host'].matches('${endpoint.hostname}')`;
-    const matchExpr = `${pathExpr} && ${hostExpr}`;
+        // Build the expression for path and hostname matching
+        const pathExpr = `request.path.startsWith(R"${pathPrefix}")`;
+        const hostExpr = `request.headers['host'].matches(R"^${_.escapeRegExp(hostname)}(:[0-9]+)?$")`;
+        const matchExpr = `${pathExpr} && ${hostExpr}`;
 
         new gcp.compute.SecurityPolicyRule(
           ruleName,
