Risk Level: High
Cloud Entity: Google Cloud Function
CloudGuard Rule ID: D9.GCP.NET.38
Covered by Spectral: No
Category: Compute

GSL LOGIC

CloudFunction should have vpcConnector

REMEDIATION

From Portal

Go to the function: https://console.cloud.google.com/functions/list, then click Edit.
Click 'Runtime, build, connections and security settings' to expand the function configuration page.
Click the Connections tab, and under 'Egress settings' choose an option from the 'VPC Network' menu, except 'None' which is to disconnect an already associated connector.
To use an existing connector, select it from the drop-down list or select Custom to use an existing connector that is not shown in the drop-down list (you can also add a new one from 'Add new VPC connector').
Click Next, and then Deploy.

Note: Administrators can require that functions specify a Serverless VPC Access connector by setting the 'cloudfunctions.requireVPCConnector' organization policy.

From TF
Note: The 'name' argument is supported and the vpc_connector argument is exported. Please see the Terraform link under References to get the latest updates for this entity.

data "google_cloudfunctions_function" "my-function" {
	. .
	name = "function"  // REQUIRED ARGUMENT, see Note and References
	vpc_connector = EXPORTED  // COMPUTED ATTRIBUTE
	. .
}

From Command Line
Use the gcloud functions deploy command to deploy the function and specify the --vpc-connector flag:

gcloud functions deploy FUNCTION_NAME --vpc-connector CONNECTOR_NAME FLAGS

References

Google Cloud Function

Cloud Functions is a lightweight compute solution for developers to create single-purpose, stand-alone functions that respond to Cloud events without the need to manage a server or runtime environment.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset