GCP Cloud Function HTTP trigger is not secured
Description
This policy identifies GCP Cloud Functions for which the HTTP trigger is not secured. When you configure HTTP functions to be triggered only with HTTPS, user requests will be redirected to use the HTTPS protocol, which is more secure. It is recommended to set the 'Require HTTPS' for configuring HTTP triggers while deploying your function.
Code Example
go
resource "google_cloudfunctions_function" "pass" {
name = "function-test"
description = "My function"
runtime = "nodejs16"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.bucket.name
source_archive_object = google_storage_bucket_object.archive.name
trigger_http = true
https_trigger_security_level = "SECURE_ALWAYS"
timeout = 60
entry_point = "helloGET"
labels = {
my-label = "my-label-value"
}
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0995 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV2_GCP_10 |