terraform.gcp.security.gcp-compute-ssl-policy.gcp-compute-ssl-policy

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: gcp-compute-ssl-policy
    patterns:
      - pattern: resource
      - pattern-either:
          - pattern-inside: |
              resource "google_compute_ssl_policy" "..." {
              ...
              profile = "MODERN"
              ...
              }
          - pattern-inside: |
              resource "google_compute_ssl_policy" "..." {
              ...
              profile = "CUSTOM"
              custom_features = [..., "TLS_RSA_WITH_AES_256_GCM_SHA384", ...]
              ...
              }
      - pattern-not-inside: |
          resource "google_compute_ssl_policy" "..." {
          ...
          profile = "MODERN"
          min_tls_version = "TLS_1_2"
          ...
          }
      - pattern-not-inside: >
          resource "google_compute_ssl_policy" "..." {

          ...

          profile = "CUSTOM"

          custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]

          ...

          }
    message: Ensure no HTTPS or SSL proxy load balancers permit SSL policies with
      weak cipher suites
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      category: security
      technology:
        - terraform
        - gcp
      references:
        - https://docs.bridgecrew.io/docs/google-cloud-policy-index
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - hcl
    severity: WARNING

Examples

gcp-compute-ssl-policy.tf

# fail
# ruleid: gcp-compute-ssl-policy
resource "google_compute_ssl_policy" "fail1" {
    name            = "nonprod-ssl-policy"
    profile         = "MODERN"
}

# fail
# ruleid: gcp-compute-ssl-policy
resource "google_compute_ssl_policy" "fail2" {
    name            = "custom-ssl-policy"
    min_tls_version = "TLS_1_2"
    profile         = "CUSTOM"
    custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_GCM_SHA384"]
}

# ok: gcp-compute-ssl-policy
resource "google_compute_ssl_policy" "success1" {
    name            = "nonprod-ssl-policy"
    profile         = "MODERN"
    min_tls_version = "TLS_1_2"
}

# ok: gcp-compute-ssl-policy
resource "google_compute_ssl_policy" "success1" {
    name            = "custom-ssl-policy"
    min_tls_version = "TLS_1_2"
    profile         = "CUSTOM"
    custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
}