Skip to content

security(iac/gcp): set allow_unauthenticated=false; document ingress override#586

Open
cristim wants to merge 1 commit into
feat/multicloud-web-frontendfrom
security/gcp-cloudrun-auth-384-78
Open

security(iac/gcp): set allow_unauthenticated=false; document ingress override#586
cristim wants to merge 1 commit into
feat/multicloud-web-frontendfrom
security/gcp-cloudrun-auth-384-78

Conversation

@cristim
Copy link
Copy Markdown
Member

@cristim cristim commented May 20, 2026

Summary

Two related Cloud Run security/ops fixes to all three environment tfvars (dev, staging, prod):

#384 - allow_unauthenticated=false: cloud_run_allow_unauthenticated was set to true in all three tfvars, overriding the variable default of false. Cloud Run's built-in IAM auth is a defence-in-depth layer independent of our application-level JWT auth; it was unintentionally disabled. Setting it to false re-enables it.

#78 - Document ingress override: cloud_run_ingress = "INGRESS_TRAFFIC_ALL" is a temporary override because the external HTTPS LB + Cloud Armor stack (enable_cdn=true) has not yet been provisioned. The variable default (INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER) would block *.run.app traffic until DNS + cert + LB are in place. Updated inline comments to cross-reference both issues and state the removal condition.

Closes #384
Closes #78

Test plan

  • terraform fmt -check passes on all three tfvars files
  • Pre-commit hooks pass

@cristim
security(iac/gcp): set allow_unauthenticated=false; document ingress …
5a9b52d 
…override (closes #384, #78)

#384: cloud_run_allow_unauthenticated was incorrectly set to true in all
three environment tfvars, overriding the variable default of false. Cloud
Run's built-in IAM auth is a defence-in-depth layer independent of our
application-level JWT auth; it was unintentionally disabled. Set it to
false in dev, staging, and prod.

#78: cloud_run_ingress is temporarily set to INGRESS_TRAFFIC_ALL in all
environments because the external HTTPS LB + Cloud Armor stack (enabled
by enable_cdn=true) has not yet been provisioned. The variable default is
INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER, which would block *.run.app
traffic until DNS + cert + LB are in place. Update the inline comments to
cross-reference both issues and explain the removal condition.
@cristim cristim added triaged Item has been triaged priority/p2 Backlog-worthy severity/medium Moderate harm urgency/this-quarter Within the quarter impact/all-users Affects every user labels May 20, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 20, 2026
edited
Loading

Warning

Rate limit exceeded

@cristim has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 31 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0c27cccc-a003-49f1-825f-f196beee8199

📥 Commits

Reviewing files that changed from the base of the PR and between bc8831b and 5a9b52d.

📒 Files selected for processing (3)
  • terraform/environments/gcp/github-dev.tfvars
  • terraform/environments/gcp/github-prod.tfvars
  • terraform/environments/gcp/github-staging.tfvars
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/gcp-cloudrun-auth-384-78

Comment @coderabbitai help to get the list of available commands and usage tips.

@cristim
Copy link
Copy Markdown
Member Author

cristim commented May 20, 2026

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 20, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim cristim added type/security Security finding effort/m Days labels May 20, 2026
@cristim
Copy link
Copy Markdown
Member Author

cristim commented May 22, 2026

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 22, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim
Copy link
Copy Markdown
Member Author

cristim commented May 22, 2026

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 22, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

effort/m Days impact/all-users Affects every user priority/p2 Backlog-worthy severity/medium Moderate harm triaged Item has been triaged type/security Security finding urgency/this-quarter Within the quarter

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cristim