From c1fec09d68e641281625bed562387933b794231d Mon Sep 17 00:00:00 2001 From: adekunle-olubi Date: Wed, 11 Sep 2024 14:16:48 +0200 Subject: [PATCH 1/3] deploy: new SSL policy --- deployments/modules/services/networking/load-balancer.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/deployments/modules/services/networking/load-balancer.tf b/deployments/modules/services/networking/load-balancer.tf index 09ba7cd2e..726315b78 100644 --- a/deployments/modules/services/networking/load-balancer.tf +++ b/deployments/modules/services/networking/load-balancer.tf @@ -25,10 +25,19 @@ resource "google_compute_managed_ssl_certificate" "default" { } } +resource "google_compute_ssl_policy" "default-ssl-policy" { + project = var.project_id + name = "default-ssl-policy" + profile = "COMPATIBLE" + min_tls_version = "TLS_1_2" + description = "Recommended SSL policy for security purposes" +} + resource "google_compute_target_https_proxy" "default" { name = "${local.context}-https-lb-proxy" url_map = google_compute_url_map.default.id ssl_certificates = [google_compute_managed_ssl_certificate.default.id] + ssl_policy = google_compute_ssl_policy.default-ssl-policy.self_link } resource "google_compute_target_http_proxy" "https_redirect" { From 2031361bfbdd5c23f95f63c363e895f37a42e116 Mon Sep 17 00:00:00 2001 From: adekunle-olubi Date: Wed, 11 Sep 2024 14:43:19 +0200 Subject: [PATCH 2/3] deploy: new SSL policy --- deployments/modules/services/networking/load-balancer.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/modules/services/networking/load-balancer.tf b/deployments/modules/services/networking/load-balancer.tf index 726315b78..6e733681d 100644 --- a/deployments/modules/services/networking/load-balancer.tf +++ b/deployments/modules/services/networking/load-balancer.tf @@ -28,7 +28,7 @@ resource "google_compute_managed_ssl_certificate" "default" { resource "google_compute_ssl_policy" "default-ssl-policy" { project = var.project_id name = "default-ssl-policy" - profile = "COMPATIBLE" + profile = "MODERN" min_tls_version = "TLS_1_2" description = "Recommended SSL policy for security purposes" } @@ -37,7 +37,7 @@ resource "google_compute_target_https_proxy" "default" { name = "${local.context}-https-lb-proxy" url_map = google_compute_url_map.default.id ssl_certificates = [google_compute_managed_ssl_certificate.default.id] - ssl_policy = google_compute_ssl_policy.default-ssl-policy.self_link + ssl_policy = google_compute_ssl_policy.default-ssl-policy.id } resource "google_compute_target_http_proxy" "https_redirect" { From 794318ed9ca6699f99531606a9aeb6f16078b69a Mon Sep 17 00:00:00 2001 From: adekunle-olubi Date: Mon, 16 Sep 2024 16:13:53 +0200 Subject: [PATCH 3/3] deploy: set COMPATIBLE instead of MODERN --- deployments/modules/services/networking/load-balancer.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/modules/services/networking/load-balancer.tf b/deployments/modules/services/networking/load-balancer.tf index 6e733681d..ea3e708f4 100644 --- a/deployments/modules/services/networking/load-balancer.tf +++ b/deployments/modules/services/networking/load-balancer.tf @@ -28,7 +28,7 @@ resource "google_compute_managed_ssl_certificate" "default" { resource "google_compute_ssl_policy" "default-ssl-policy" { project = var.project_id name = "default-ssl-policy" - profile = "MODERN" + profile = "COMPATIBLE" min_tls_version = "TLS_1_2" description = "Recommended SSL policy for security purposes" }