From 6e7403b46c6aab5e68364c74c5e22e27b8ad4ca6 Mon Sep 17 00:00:00 2001
From: Harald Musum <musum@yahooinc.com>
Date: Fri, 12 Jan 2024 13:53:37 +0100
Subject: Fail if missing access control filter for all clouds

---
 .../validation/AccessControlFilterExcludeValidator.java        | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'config-model')

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/AccessControlFilterExcludeValidator.java b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/AccessControlFilterExcludeValidator.java
index aee9ca83b08..f714ba43c50 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/application/validation/AccessControlFilterExcludeValidator.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/application/validation/AccessControlFilterExcludeValidator.java
@@ -6,8 +6,12 @@ import com.yahoo.vespa.model.application.validation.Validation.Context;
 import com.yahoo.vespa.model.container.http.AccessControl;
 import com.yahoo.vespa.model.container.http.Http;
 
+import java.util.Set;
 import java.util.logging.Level;
 
+import static com.yahoo.config.provision.CloudName.DEFAULT;
+import static com.yahoo.config.provision.CloudName.YAHOO;
+
 /**
  * Validates that 'access-control' does not include any exclusions unless explicitly allowed.
  * Logs in Yahoo clouds and fails in AWS clouds
@@ -33,10 +37,10 @@ public class AccessControlFilterExcludeValidator implements Validator {
     private void verifyNoExclusions(String clusterId, AccessControl accessControl, Context context) {
         if (!accessControl.excludedBindings().isEmpty()) {
             String message = "Application cluster %s excludes paths from access control, this is not allowed and should be removed.".formatted(clusterId);
-            if (context.deployState().zone().cloud().name().equals(CloudName.AWS)) {
-                context.illegal(message);
-            } else {
+            if (Set.of(DEFAULT, YAHOO).contains(context.deployState().zone().cloud().name())) {
                 context.deployState().getDeployLogger().log(Level.WARNING, message);
+            } else {
+                context.illegal(message);
             }
         }
    }
-- 
cgit v1.2.3