feat: warn if default ingress_settings is used in remote_functions

Author: chelsea-lin

bigframes/functions/_function_session.py

@@ -120,9 +120,9 @@ def remote_function(
  cloud_function_max_instances: Optional[int] = None,
  cloud_function_vpc_connector: Optional[str] = None,
  cloud_function_memory_mib: Optional[int] = 1024,
- cloud_function_ingress_settings: Literal[
- "all", "internal-only", "internal-and-gclb"
- ] = "all",
+ cloud_function_ingress_settings: Optional[
+ Literal["all", "internal-only", "internal-and-gclb"]
+ ] = None,
  ):
  """Decorator to turn a user defined function into a BigQuery remote function.
 
@@ -302,8 +302,9 @@ def remote_function(
  https://cloud.google.com/functions/docs/configuring/memory.
  cloud_function_ingress_settings (str, Optional):
  Ingress settings controls dictating what traffic can reach the
- function. By default `all` will be used. It must be one of:
- `all`, `internal-only`, `internal-and-gclb`. See for more details
+ function. Options are: `all`, `internal-only`, or `internal-and-gclb`.
+ If no setting is provided, `all` will be used by default and a warning
+ will be issued. See for more details
  https://cloud.google.com/functions/docs/networking/network-settings#ingress_settings.
  """
  # Some defaults may be used from the session if not provided otherwise
@@ -400,6 +401,15 @@ def remote_function(
  " For more details see https://cloud.google.com/functions/docs/securing/cmek#before_you_begin"
  )
 
+ if cloud_function_ingress_settings is None:
+ cloud_function_ingress_settings = "all"
+ msg = (
+ "The `cloud_function_ingress_settings` are set to 'all' by default, "
+ "which may change. Consider using 'internal-only' for enhanced security. "
+ "See https://cloud.google.com/functions/docs/networking/network-settings#ingress_settings for details."
+ )
+ warnings.warn(msg, category=UserWarning)
+
  bq_connection_manager = session.bqconnectionmanager
 
  def wrapper(func):

bigframes/pandas/__init__.py

@@ -80,9 +80,9 @@ def remote_function(
  cloud_function_max_instances: Optional[int] = None,
  cloud_function_vpc_connector: Optional[str] = None,
  cloud_function_memory_mib: Optional[int] = 1024,
- cloud_function_ingress_settings: Literal[
- "all", "internal-only", "internal-and-gclb"
- ] = "all",
+ cloud_function_ingress_settings: Optional[
+ Literal["all", "internal-only", "internal-and-gclb"]
+ ] = None,
 ):
  return global_session.with_default_session(
  bigframes.session.Session.remote_function,

bigframes/session/__init__.py

@@ -1203,9 +1203,9 @@ def remote_function(
  cloud_function_max_instances: Optional[int] = None,
  cloud_function_vpc_connector: Optional[str] = None,
  cloud_function_memory_mib: Optional[int] = 1024,
- cloud_function_ingress_settings: Literal[
- "all", "internal-only", "internal-and-gclb"
- ] = "all",
+ cloud_function_ingress_settings: Optional[
+ Literal["all", "internal-only", "internal-and-gclb"]
+ ] = None,
  ):
  """Decorator to turn a user defined function into a BigQuery remote function. Check out
  the code samples at: https://cloud.google.com/bigquery/docs/remote-functions#bigquery-dataframes.
@@ -1369,8 +1369,9 @@ def remote_function(
  https://cloud.google.com/functions/docs/configuring/memory.
  cloud_function_ingress_settings (str, Optional):
  Ingress settings controls dictating what traffic can reach the
- function. By default `all` will be used. It must be one of:
- `all`, `internal-only`, `internal-and-gclb`. See for more details
+ function. Options are: `all`, `internal-only`, or `internal-and-gclb`.
+ If no setting is provided, `all` will be used by default and a warning
+ will be issued. See for more details
  https://cloud.google.com/functions/docs/networking/network-settings#ingress_settings.
  Returns:
  collections.abc.Callable:

tests/system/large/functions/test_remote_function.py

@@ -2354,6 +2354,11 @@ def generate_stats(row: pandas.Series) -> list[int]:
  pytest.param(
  {}, functions_v2.ServiceConfig.IngressSettings.ALLOW_ALL, id="no-set"
  ),
+ pytest.param(
+ {"cloud_function_ingress_settings": None},
+ functions_v2.ServiceConfig.IngressSettings.ALLOW_ALL,
+ id="set-none",
+ ),
  pytest.param(
  {"cloud_function_ingress_settings": "all"},
  functions_v2.ServiceConfig.IngressSettings.ALLOW_ALL,