PIM-12026 [Security] Add SSL policy to use only TLS 1.2 (#1029)

fontailo · web-flow · commit 21340e2fbb87 · 2025-04-04T14:14:37.000+02:00
diff --git a/deployments/modules/services/networking/load-balancer.tf b/deployments/modules/services/networking/load-balancer.tf
@@ -25,10 +25,17 @@ resource "google_compute_managed_ssl_certificate" "default" {
   }
 }
 
+resource "google_compute_ssl_policy" "default" {
+  name            = "default-ssl-tls-policy"
+  profile         = "COMPATIBLE"
+  min_tls_version = "TLS_1_2"
+}
+
 resource "google_compute_target_https_proxy" "default" {
   name             = "${local.context}-https-lb-proxy"
   url_map          = google_compute_url_map.default.id
   ssl_certificates = [google_compute_managed_ssl_certificate.default.id]
+  ssl_policy       = google_compute_ssl_policy.default.id
 }
 
 resource "google_compute_target_http_proxy" "https_redirect" {

Original file line number	Diff line number	Diff line change
`@@ -25,10 +25,17 @@ resource "google_compute_managed_ssl_certificate" "default" {`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`
	`28`	`+resource "google_compute_ssl_policy" "default" {`
	`29`	`+ name = "default-ssl-tls-policy"`
	`30`	`+ profile = "COMPATIBLE"`
	`31`	`+ min_tls_version = "TLS_1_2"`
	`32`	`+}`
	`33`	`+`
`28`	`34`	`resource "google_compute_target_https_proxy" "default" {`
`29`	`35`	`name = "${local.context}-https-lb-proxy"`
`30`	`36`	`url_map = google_compute_url_map.default.id`
`31`	`37`	`ssl_certificates = [google_compute_managed_ssl_certificate.default.id]`
	`38`	`+ ssl_policy = google_compute_ssl_policy.default.id`
`32`	`39`	`}`
`33`	`40`
`34`	`41`	`resource "google_compute_target_http_proxy" "https_redirect" {`