Use the Conformity Knowledge Base AI to help improve your Cloud Posture

GCP Execution Runtime Environment Version

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that none of your Google Cloud functions are 1st (first) generation functions. 1st generation Google Cloud functions are considered deprecated and no longer receive updates or support, making them less secure, less performant, and lacking in new features compared to newer generations.

Security
Reliability
Cost
optimisation
Operational
excellence
Sustainability

Google Cloud Functions 2nd generation offers several key improvements over the 1st generation. First, it provides better performance with faster cold starts and reduced execution times. Second, it offers a broader choice of runtime environments, including Node.js, Python, Go, and more, enabling greater flexibility for developers. Third, 2nd generation functions have improved networking capabilities and better integration with Google Cloud services. Finally, they offer enhanced monitoring and debugging features, making it easier to manage and troubleshoot functions. Upgrading to the 2nd generation is advisable for improved performance, flexibility, and a more robust development and operations experience, particularly for applications with demanding requirements or complex workflows. The 2nd generation of Google Cloud functions represents a Function-as-a-Service offering that harnesses the capabilities of Cloud Run and Eventarc. This empowers users to take advantage of the core advantages provided by Cloud Run, such as concurrent processing, traffic distribution, and extended processing durations.


Audit

To determine if your Google Cloud functions are second generation (or newer generation) functions, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud functions that you want to examine, listed in the Name column.

05 Check the generation version, displayed next to the resource name, to determine the function generation. If the function generation is set to 1st gen (first generation), the selected Google Cloud function is using a deprecated platform.

06 Repeat steps no. 4 and 5 for each Google Cloud function created for the selected GCP project.

07 Repeat steps no. 2 - 6 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s):

PROJECT_ID
cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each Google Cloud function deployed within the selected project:

gcloud functions list 
  --project cc-bigdata-project-123123 
  --format="(NAME,REGION)"

04 The command output should return the requested function names and their regions:

NAME                  REGION
cc-web-app-function   us-central1
cc-stream-function    us-central1

05 Run functions describe command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the runtime environment version for the selected function:

gcloud functions describe cc-web-app-function 
  --region=us-central1 
  --format="json(environment)"

06 The command output should return the environment version for second generation or newer, or null if the resource is a first generation function:

null

If the functions describe command output returns null, the verified resource is a first generation function, teherfore the selected Google Cloud function is using a deprecated platform.

07 Repeat steps no. 5 and 6 for each Google Cloud function created for the selected GCP project.

08 Repeat steps no. 3 – 6 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To migrate your Google Cloud 1st functions to 2nd generation functions, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Choose the 1st function that you want to upgrade, click on the 3-dot button to open the options menu, and select Copy function to copy and redeploy your function using the 2nd generation platform.

05 For Configuration, perform the following operations:

  1. Select 2nd gen from the Environment dropdown list to set the function generation.
  2. Provide a unique name for your function in the Function name box.
  3. Select the appropriate region from the Region dropdown list.
  4. Ensure that Trigger configuration is set.
  5. Choose Runtime, build, connections and security settings and configure the function settings based on your application needs.
  6. Choose NEXT to continue.

06 Copying a Google Cloud function may require you to revise the source code when changing the environment version. For Code, review the function code to ensure that is compatible with the new environment.

07 Choose DEPLOY to deploy your 2nd generation function.

08 Repeat steps no. 4 – 7 for each Google Cloud function that you want to upgrade, available for the selected GCP project.

09 Repeat steps no. 2 – 8 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run functions describe command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the configuration information available for the selected function:

gcloud functions describe cc-web-app-function 
  --region=us-central1 
  --format="json"

02 The command output should return the requested configuration information:

{
	"availableMemoryMb": 256,
	"buildId": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"buildName": "projects/123456789012/locations/us-central1/builds/1234abcd-1234-abcd-1234-abcd1234abcd",
	"dockerRegistry": "CONTAINER_REGISTRY",
	"entryPoint": "run-app",
	"ingressSettings": "ALLOW_ALL",
	"labels": {
		"deployment-tool": "console-cloud"
	},
	"maxInstances": 3,
	"name": "projects/cc-bigdata-project-123123/locations/us-central1/functions/cc-web-app-function",
	"runtime": "python39",
	"serviceAccountEmail": "cc-bigdata-project-123123@appspot.gserviceaccount.com",
	"status": "ACTIVE",
	"timeout": "60s",
	"updateTime": "2023-09-15T17:44:39.946Z",
	"versionId": "1"
  }

03 Run functions deploy command (Windows/macOS/Linux) to redeploy your Google Cloud function to a 2nd generation function using the configuration information returned at the previous step:

gcloud functions deploy cc-2nd-gen-function 
  --region=us-central1 
  --max-instances=3 
  --runtime=python39 
  --entry-point=run-app 
  --trigger-http 
  --allow-unauthenticated 
  --gen2 
  --format="json(environment)"

04 The command output should return the function environment generation version:

{
	"environment": "GEN_2"
}

05 Repeat steps no. 1 – 4 for each Google Cloud function that you want to upgrade, created for the selected GCP project.

06 Repeat steps no. 1 – 5 for each project deployed within your Google Cloud account.

References

Publication date Oct 24, 2023

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

GCP Execution Runtime Environment Version

Risk Level: High