Ingress Failure In Shared VPC #

We have a shared vpc setup and when I try to create a ingress (L7) for my app it gives me error which says that unable to create a firewall rule

###Error

gcloud compute firewall-rules create k8s-fw-l7--b1a36f0a2cbc5f47 --network xxx --description "GCE L7 firewall rule" --allow tcp:30000-32767 --source-ranges 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 --target-tags xxx --project xxx

The reason for this is Kubernetest SA of the service porject (where my gke cluster is created) is not able to create a firewall rule in vpc project. We cann overcome this with granting network admin role to the Service Account but it is compromising our security. Therefore, what we can do is, we can createa firewall rule and then add a annotion to avoid this error message

###Annotation

networking.gke.io/suppress-firewall-xpn-error: "true"

###Firewall Rule

resource "google_compute_firewall" "common_gke_in_l7_lb" {
  name        = "common-gke-in-l7-lb"
  description = "Allow Google Health Checks on L7 lbs"
  network     = "${module.vpc.network_name}"
  project     = "${var.gcp_project_id}"
  priority    = "001"
  direction   = "INGRESS"

  allow {
    protocol = "tcp"
    ports    = ["30000-32767"]
  }

  source_ranges = [
    "209.85.152.0/22",
    "209.85.204.0/22",
    "35.191.0.0/16",
    "130.211.0.0/22",
  ]
  
  #You can get this tag by checking node pool
  target_tags = ["my-gke-cluster-1cc304ad-node"]
}

###Ingress Yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    networking.gke.io/suppress-firewall-xpn-error: "true"
    kubernetes.io/ingress.global-static-ip-name: glb-for-transformer
  name: myapp
spec:
  rules:
  - host: myapp.newcorp.local
    http:
      paths:
      - backend:
          serviceName: myapp
          servicePort: 80