terraform.gcp.security.gcp-compute-ssl-policy.gcp-compute-ssl-policy
semgrep
Author
unknown
Download Count*
License
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Run Locally
Run in CI
Defintion
rules:
- id: gcp-compute-ssl-policy
patterns:
- pattern: resource
- pattern-either:
- pattern-inside: |
resource "google_compute_ssl_policy" "..." {
...
profile = "MODERN"
...
}
- pattern-inside: |
resource "google_compute_ssl_policy" "..." {
...
profile = "CUSTOM"
custom_features = [..., "TLS_RSA_WITH_AES_256_GCM_SHA384", ...]
...
}
- pattern-not-inside: |
resource "google_compute_ssl_policy" "..." {
...
profile = "MODERN"
min_tls_version = "TLS_1_2"
...
}
- pattern-not-inside: >
resource "google_compute_ssl_policy" "..." {
...
profile = "CUSTOM"
custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
...
}
message: Ensure no HTTPS or SSL proxy load balancers permit SSL policies with
weak cipher suites
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
category: security
technology:
- terraform
- gcp
references:
- https://docs.bridgecrew.io/docs/google-cloud-policy-index
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- hcl
severity: WARNING
Examples
gcp-compute-ssl-policy.tf
# fail
# ruleid: gcp-compute-ssl-policy
resource "google_compute_ssl_policy" "fail1" {
name = "nonprod-ssl-policy"
profile = "MODERN"
}
# fail
# ruleid: gcp-compute-ssl-policy
resource "google_compute_ssl_policy" "fail2" {
name = "custom-ssl-policy"
min_tls_version = "TLS_1_2"
profile = "CUSTOM"
custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_GCM_SHA384"]
}
# ok: gcp-compute-ssl-policy
resource "google_compute_ssl_policy" "success1" {
name = "nonprod-ssl-policy"
profile = "MODERN"
min_tls_version = "TLS_1_2"
}
# ok: gcp-compute-ssl-policy
resource "google_compute_ssl_policy" "success1" {
name = "custom-ssl-policy"
min_tls_version = "TLS_1_2"
profile = "CUSTOM"
custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
}
Short Link: https://sg.run/zrql