Cloud Functions ingress is not set to internal-only traffic Affecting Cloud Functions service in Google
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CC-00808
- credit Snyk Research Team
Description
Allowing ingress from external sources can expose Cloud Functions to unauthorized access and potential attacks. Restricting ingress to internal traffic reduces the attack surface by ensuring that only traffic originating from within the cloud provider's network can reach the function. This mitigates risks associated with public endpoints and helps maintain a stronger security posture.
How to fix?
Set the ingress_settings attribute to ALLOW_INTERNAL_ONLY for the resource google_cloudfunctions_function.
Set the service_config[_].ingress_settings attribute to ALLOW_INTERNAL_ONLY for the resource google_cloudfunctions2_function.
Example Configuration
resource "google_cloudfunctions_function" "allow1" {
name = "function-test1"
description = "My function"
runtime = "nodejs20"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.bucket1.name
source_archive_object = google_storage_bucket_object1.object.name
trigger_http = true
entry_point = "helloWorld"
ingress_settings = "ALLOW_INTERNAL_ONLY"
}
resource "google_cloudfunctions2_function" "allow2" {
name = "function-test2"
location = "us-east1"
description = "a new function"
build_config {
runtime = "nodejs20"
entry_point = "helloHttp"
source {
storage_source {
bucket = google_storage_bucket.bucket2.name
object = google_storage_bucket_object.object2.name
}
}
}
service_config {
max_instance_count = 1
available_memory = "256M"
ingress_settings = "ALLOW_INTERNAL_ONLY"
}
}