config to throttle all Scan endpoints, all IPs

[stephencompall-DA]

Fixes DACH-NY/canton-network-internal#2152. As cloudArmor.enabled: false, this still does nothing (yet) as with #2582.

This also fixes up the default rule and actually applies successfully to a GCP cluster; see comments below for example.

Pull Request Checklist

Cluster Testing

• If a cluster test is required, comment /cluster_test on this PR to request it, and ping someone with access to the DA-internal system to approve it.
• If a hard-migration test is required (from the latest release), comment /hdm_test on this PR to request it, and ping someone with access to the DA-internal system to approve it.

PR Guidelines

• Include any change that might be observable by our partners or affect their deployment in the release notes.
• Specify fixed issues with Fixes #n, and mention issues worked on using #n
• Include a screenshot for frontend-related PRs - see README or use your favorite screenshot tool

Merge Guidelines

• Make the git commit message look sensible when squash-merging on GitHub (most likely: just copy your PR description).

[Copilot]

Pull Request Overview

This PR implements throttling for all endpoints and all IPs by refactoring the Cloud Armor configuration to support a new throttling mechanism. The changes move away from per-endpoint, per-IP throttling to a global throttling approach across all endpoints for all IPs.

Key changes:

• Updated configuration schema to support new throttling parameters with hostname, path prefix, and throttling limits
• Refactored Cloud Armor policy implementation to use the new configuration structure
• Added example configuration for the scan service with throttling disabled (maxRequestsBeforeHttp429: 0)

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
cluster/pulumi/infra/src/config.ts	Updated CloudArmorConfigSchema to define new throttling configuration structure with hostname, path prefix, and throttling parameters
cluster/pulumi/infra/src/cloudArmor.ts	Refactored throttling logic to use new configuration, simplified rule creation, and removed per-IP throttling support
cluster/deployment/config.yaml	Added example configuration for scan service with throttling disabled

[stephencompall-DA]

Test enable 5667b0a on scratchd (NB: unattached so even with preview off this does nothing):

cloudArmor:
  enabled: true
  publicEndpoints:
    publicScan:
      hostname: scan.sv-2.scratchd.global.canton.network.digitalasset.com
      pathPrefix: /api/scan
      throttleAcrossAllEndpointsAllIps:
        maxRequestsBeforeHttp429: 42

enabled preview security policy

Pulumi preview & diff, enabled=true preview=true

Previewing update (infra.scratchd):
     Type                                  Name                                       Plan       Info
     pulumi:pulumi:Stack                   infra-infra.scratchd                                  2 warnings; 179 
 +   └─ gcp:compute:SecurityPolicy         waf-whitelist-throttle-ban-scratchd        create     
 +      └─ gcp:compute:SecurityPolicyRule  throttle-all-endpoints-all-ips-publicScan  create

    + gcp:compute/securityPolicy:SecurityPolicy: (create)
        [urn=urn:pulumi:infra.scratchd::infra::gcp:compute/securityPolicy:SecurityPolicy::waf-whitelist-throttle-ban-scratchd]
        [provider=urn:pulumi:infra.scratchd::infra::pulumi:providers:gcp::default_8_32_1::97198f16-3a1b-4dfa-b760-d7c481d85083]
        description: "Cloud Armor security policy for scratchd"
        name       : "waf-whitelist-throttle-ban-scratchd"
        type       : "CLOUD_ARMOR"
        + gcp:compute/securityPolicyRule:SecurityPolicyRule: (create)
            [urn=urn:pulumi:infra.scratchd::infra::gcp:compute/securityPolicy:SecurityPolicy$gcp:compute/securityPolicyRule:SecurityPolicyRule::throttle-all-endpoints-all-ips-publicScan]
            [provider=urn:pulumi:infra.scratchd::infra::pulumi:providers:gcp::default_8_32_1::97198f16-3a1b-4dfa-b760-d7c481d85083]
            action          : "throttle"
            description     : "Throttle rule for all publicScan API endpoints"
            match           : {
                expr      : {
                    expression: "request.path.startsWith(R\"/api/scan\") && request.headers['host'].matches(R\"^scan\\.sv-2\\.scratchd\\.global\\.canton\\.network\\.digitalasset\\.com(?::[0-9]+)?$\")"
                }
            }
            preview         : true
            priority        : 100000000
            rateLimitOptions: {
                conformAction     : "allow"
                enforceOnKey      : "ALL"
                exceedAction      : "deny(429)"
                rateLimitThreshold: {
                    count      : 42
                    intervalSec: 60
                }
            }
            securityPolicy  : "waf-whitelist-throttle-ban-scratchd"

enabled non-preview security policy

cloudArmor:
  allRulesPreviewOnly: false

Pulumi preview & diff, after disabling Cloud Armor preview

Previewing update (infra.scratchd):
     Type                                  Name                                       Plan       Info
     pulumi:pulumi:Stack                   infra-infra.scratchd                                  2 warnings; 179 
     └─ gcp:compute:SecurityPolicy         waf-whitelist-throttle-ban-scratchd                   
 ~      ├─ gcp:compute:SecurityPolicyRule  throttle-all-endpoints-all-ips-publicScan  update     [diff: ~preview]
 +      └─ gcp:compute:SecurityPolicyRule  default-deny                               create

        ~ gcp:compute/securityPolicyRule:SecurityPolicyRule: (update)
            [id=projects/da-cn-scratchnet/global/securityPolicies/waf-whitelist-throttle-ban-scratchd/priority/100000000]
            [urn=urn:pulumi:infra.scratchd::infra::gcp:compute/securityPolicy:SecurityPolicy$gcp:compute/securityPolicyRule:SecurityPolicyRule::throttle-all-endpoints-all-ips-publicScan]
            [provider=urn:pulumi:infra.scratchd::infra::pulumi:providers:gcp::default_8_32_1::97198f16-3a1b-4dfa-b760-d7c481d85083]
          ~ preview: true => false
        + gcp:compute/securityPolicyRule:SecurityPolicyRule: (create)
            [urn=urn:pulumi:infra.scratchd::infra::gcp:compute/securityPolicy:SecurityPolicy$gcp:compute/securityPolicyRule:SecurityPolicyRule::default-deny]
            [provider=urn:pulumi:infra.scratchd::infra::pulumi:providers:gcp::default_8_32_1::97198f16-3a1b-4dfa-b760-d7c481d85083]
            action        : "deny"
            description   : "Default rule to deny all other traffic"
            match         : {
                config       : {
                    srcIpRanges: [
                        [0]: "*"
                    ]
                }
                versionedExpr: "SRC_IPS_V1"
            }
            preview       : false
            priority      : 2147483647
            securityPolicy: "waf-whitelist-throttle-ban-scratchd"

disabling after enabling tears down

Pulumi preview & diff, teardown with enabled=false (i.e. this PR)

Previewing update (infra.scratchd):
     Type                                  Name                                       Plan       Info
     pulumi:pulumi:Stack                   infra-infra.scratchd                                  2 warnings; 179 
 -   └─ gcp:compute:SecurityPolicy         waf-whitelist-throttle-ban-scratchd        delete     
 -      ├─ gcp:compute:SecurityPolicyRule  throttle-all-endpoints-all-ips-publicScan  delete     
 -      └─ gcp:compute:SecurityPolicyRule  default-deny                               delete

- gcp:compute/securityPolicyRule:SecurityPolicyRule: (delete)
    [id=projects/da-cn-scratchnet/global/securityPolicies/waf-whitelist-throttle-ban-scratchd/priority/2147483647]
    [urn=urn:pulumi:infra.scratchd::infra::gcp:compute/securityPolicy:SecurityPolicy$gcp:compute/securityPolicyRule:SecurityPolicyRule::default-deny]
    [provider=urn:pulumi:infra.scratchd::infra::pulumi:providers:gcp::default_8_32_1::97198f16-3a1b-4dfa-b760-d7c481d85083]
    action        : "deny"
    description   : "Default rule to deny all other traffic"
    match         : {
        config       : {
            srcIpRanges: [
                [0]: "*"
            ]
        }
        versionedExpr: "SRC_IPS_V1"
    }
    preview       : false
    priority      : 2147483647
    securityPolicy: "waf-whitelist-throttle-ban-scratchd"
- gcp:compute/securityPolicyRule:SecurityPolicyRule: (delete)
    [id=projects/da-cn-scratchnet/global/securityPolicies/waf-whitelist-throttle-ban-scratchd/priority/100000000]
    [urn=urn:pulumi:infra.scratchd::infra::gcp:compute/securityPolicy:SecurityPolicy$gcp:compute/securityPolicyRule:SecurityPolicyRule::throttle-all-endpoints-all-ips-publicScan]
    [provider=urn:pulumi:infra.scratchd::infra::pulumi:providers:gcp::default_8_32_1::97198f16-3a1b-4dfa-b760-d7c481d85083]
    action          : "throttle"
    description     : "Throttle rule for all publicScan API endpoints"
    match           : {
        expr      : {
            expression: "request.path.startsWith(R\"/api/scan\") && request.headers['host'].matches(R\"^scan\\.sv-2\\.scratchd\\.global\\.canton\\.network\\.digitalasset\\.com(?::[0-9]+)?$\")"
        }
    }
    preview         : false
    priority        : 100000000
    rateLimitOptions: {
        conformAction     : "allow"
        enforceOnKey      : "ALL"
        exceedAction      : "deny(429)"
        rateLimitThreshold: {
            count      : 42
            intervalSec: 60
        }
    }
    securityPolicy  : "waf-whitelist-throttle-ban-scratchd"
    - gcp:compute/securityPolicy:SecurityPolicy: (delete)
        [id=projects/da-cn-scratchnet/global/securityPolicies/waf-whitelist-throttle-ban-scratchd]
        [urn=urn:pulumi:infra.scratchd::infra::gcp:compute/securityPolicy:SecurityPolicy::waf-whitelist-throttle-ban-scratchd]
        [provider=urn:pulumi:infra.scratchd::infra::pulumi:providers:gcp::default_8_32_1::97198f16-3a1b-4dfa-b760-d7c481d85083]
        description: "Cloud Armor security policy for scratchd"
        name       : "waf-whitelist-throttle-ban-scratchd"
        type       : "CLOUD_ARMOR"

[julientinguely-da]

thanks