terraform.gcp.security.gcp-insecure-load-balancer-tls-version.gcp-insecure-load-balancer-tls-version

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Detected GCP Load Balancer to be using an insecure version of TLS. To fix this set your "min_tls_version" to "TLS_1_2"

Run Locally

Run in CI

Defintion

rules:
  - id: gcp-insecure-load-balancer-tls-version
    patterns:
      - pattern: |
          resource "google_compute_ssl_policy" $ANYTHING {
            ...
            min_tls_version = "..."
            ...
          }
      - pattern-not: |
          resource "google_compute_ssl_policy" $ANYTHING {
            ...
            min_tls_version = "TLS_1_2"
            ...
          }
    message: Detected GCP Load Balancer to be using an insecure version of TLS. To
      fix this set your "min_tls_version" to "TLS_1_2"
    languages:
      - terraform
    severity: WARNING
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      technology:
        - gcp
        - terraform
      category: security
      references:
        - https://docs.bridgecrew.io/docs/google-cloud-policy-index
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

gcp-insecure-load-balancer-tls-version.tf

# ruleid: gcp-insecure-load-balancer-tls-version
resource "google_compute_ssl_policy" "badCode" {
  name = "badCode"
  min_tls_version = "TLS_1_0"
  # ...
}

# ok: gcp-insecure-load-balancer-tls-version
resource "google_compute_ssl_policy" "okCode" {
  name = "okCode"
  min_tls_version = "TLS_1_2"
  # ...
}