Dataproc clusters has public IPs

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Dataproc clusters has public IPs

Metadata

Id: d2c4b6a8-1234-4f56-9abc-def012345678

Cloud Provider: GCP

Platform: Terraform

Severity: High

Category: Insecure Configurations

Learn More

Provider Reference

Description

Google Cloud Dataproc clusters with public IP addresses are directly accessible from the internet, creating an expanded attack surface that could be exploited by malicious actors. When internal_ip_only is set to false or omitted, clusters receive both internal and external IP addresses, potentially exposing sensitive data processing operations and administrative interfaces to unauthorized access.

Secure configuration requires setting internal_ip_only to true as shown in this example:

resource "google_dataproc_cluster" "good_example" {
  cluster_config {
    gce_cluster_config {
      internal_ip_only = true
    }
  }
}

The following is an insecure configuration that should be avoided:

resource "google_dataproc_cluster" "bad_example" {
  cluster_config {
    gce_cluster_config {
      internal_ip_only = false
    }
  }
}

Compliant Code Examples

resource "google_dataproc_cluster" "good_example" {
  name   = "good-cluster"
  region = "us-central1"

  cluster_config {
    gce_cluster_config {
      internal_ip_only = true # ✅ Private cluster (no public IP)
    }
  }
}

Non-Compliant Code Examples

resource "google_dataproc_cluster" "bad_example" {
  name   = "bad-cluster"
  region = "us-central1"

  cluster_config {
    gce_cluster_config {
      internal_ip_only = false # ❌ Public IP enabled
    }
  }
}