fix(security/gcp): flip Cloud Run ingress default to INTERNAL_LOAD_BALANCER now that Cloud Armor stack is wired

[cristim]

Summary

GCP Cloud Run's cloud_run_allow_unauthenticated default was flipped to false, but the companion ingress default still allows public traffic (INGRESS_TRAFFIC_ALL). The plan to flip both together was deferred because the supporting external HTTPS Load Balancer + Cloud Armor wasn't provisioned by the env. Cloud Armor is now wired in (enable_cloud_armor per tfvars, frontend.tf references the LB module) — time to revisit whether the ingress default can move.

Captured in: known_issues/19_tf_env_gcp.md ("MEDIUM: Cloud Run publicly reachable — RESOLVED (default flipped; ingress change deferred)").

Current behaviour

terraform/environments/gcp/variables.tf:229 — cloud_run_allow_unauthenticated defaults to false (auth required at IAM level), but the same file's ingress variable still defaults to INGRESS_TRAFFIC_ALL. A misconfigured deployment that grants roles/run.invoker to allUsers would still expose the service to the public internet.

The variable's godoc spells out the gap explicitly:

ingress default INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER because the supporting external HTTPS load balancer + Cloud Armor stack is not provisioned by this environment yet…

Cloud Armor is now provisioned: terraform/environments/gcp/frontend.tf:24 references enable_cloud_armor, and github-prod.tfvars/github-staging.tfvars both set enable_cloud_armor = true.

Expected behaviour

When the LB stack is fully wired (verify), flip the ingress default to INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER so Cloud Run can be reached only via the LB (and therefore via Cloud Armor's WAF rules). Frontend tfvars already setting enable_cloud_armor = true should serve as the gating signal.

Steps to verify the gap

gcloud run services describe <svc> --region <region> --format='value(spec.template.metadata.annotations[run.googleapis.com/ingress])'
# Today: "all" (or unset, which defaults to all)
# After fix: "internal-and-cloud-load-balancing"

curl https://<direct-cloud-run-url>/health
# Today: 200 (request reaches the service)
# After fix: 403 (only LB can reach it)

Proposed fix

1. Audit the LB stack in terraform/environments/gcp/frontend.tf and the underlying GCP module — confirm Serverless NEG references the Cloud Run service correctly and Cloud Armor is attached to the backend service.
2. Flip ingress default to INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER in terraform/environments/gcp/variables.tf:223-227.
3. Override in dev.tfvars (and the example) to keep dev easy to hit directly.
4. Update the variable's godoc — remove the "deferred" language.
5. Update README to reflect the new defaults.

Edge cases

• Internal Cloud Scheduler jobs that today hit the direct Cloud Run URL must move to the LB or use IAM-authed invocation.
• Blue/green: ensure LB health checks target the right revision.
• Existing prod deployments that don't override the new default will break — coordinate the flip with a release-note callout.

References

• File: terraform/environments/gcp/variables.tf:223-244 (variable + godoc spelling out the deferred state).
• Frontend LB wiring: terraform/environments/gcp/frontend.tf:24.
• Tfvars enabling Cloud Armor: github-prod.tfvars:71, github-staging.tfvars:70.
• Known-issue doc: known_issues/19_tf_env_gcp.md → "MEDIUM: Cloud Run publicly reachable".

Severity

Medium — defence-in-depth gap. cloud_run_allow_unauthenticated=false provides IAM-level auth today; flipping ingress adds a network-layer guard so a misconfigured IAM binding can't blow the door open.

Effort

Medium — flip + tfvar overrides + audit LB wiring + release-notes coordination.

[cristim]

Verification report for PR #73 merge

• PR merged: fix(security/gcp): flip Cloud Run ingress default to INTERNAL_LOAD_BALANCER #73 (commit 89e503a41f4de0eb7adaeb4f612af1610dcaf2bb)
• Deploy CI on feat/multicloud-web-frontend: GCP Cloud Run + Azure Container Apps both success for the merge commit (run timestamps 2026-04-27T16:19:16Z).
• Code-level verification (browser/curl not applicable — IaC change):
  • terraform/environments/gcp/variables.tf introduces cloud_run_ingress variable with secure default INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER.
  • terraform/environments/gcp/compute.tf plumbs the variable into module.compute_cloud_run (the missing wiring the original audit caught).
  • All 4 shipped tfvars (dev.tfvars.example, github-dev.tfvars, github-staging.tfvars, github-prod.tfvars) include explicit cloud_run_ingress = "INGRESS_TRAFFIC_ALL" overrides with comments explaining why (LB stack not yet provisioned; enable_cdn = false everywhere).

Recommendation: close #51.

The defence-in-depth code change shipped — when enable_cdn flips to true for an env (per the operator-coordinated migration in #78), simply removing that env's cloud_run_ingress override takes the secure default into effect with zero further code work needed.

The per-env LB enablement + override-removal migration is tracked separately in #78, which stays open as an ops checklist (one item per env: dev → github-dev → github-staging → github-prod).

(Not closing automatically — leaving the call to a human.)

[cristim]

Re-verified during batch implementation: cloud_run_ingress defaults to INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER at terraform/environments/gcp/variables.tf:277 (PR #73 shipped). The defence-in-depth code change is in place — per-env enablement is tracked separately in #78.

No new PR needed for this issue. Recommending closure as the verification comment above already concluded.

[cristim]

Defence-in-depth code change shipped in PR #73 (GCP + Azure deploys both green). Per-env override removal is tracked in #78. Recommend closure as completed per @cristim's 2026-04-27 verification comment. (triage agent wave1-A)