Google Compute Engine SSL Policy

google_compute_ssl_policy (Terraform)

The SSL Policy in Compute Engine can be configured in Terraform with the resource name google_compute_ssl_policy. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

Checkmarx/kics

resource "google_compute_ssl_policy" "positive1" {
  name            = "custom-ssl-policy"
  min_tls_version = "TLS_1_1"
  profile         = "CUSTOM"
  custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
}

leonidweinbergcx/mykics

resource "google_compute_ssl_policy" "positive1" {
  name            = "custom-ssl-policy"
  min_tls_version = "TLS_1_1"
  profile         = "CUSTOM"
  custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
}

broadinstitute/terraform-shared

resource "google_compute_ssl_policy" "ssl-policy" {
  provider        = google.target
  count           = var.load_balancer_ssl_policy_create
  name            = var.ssl_policy_name
  profile         = var.load_balancer_ssl_policy_profile
  min_tls_version = var.min_tls_version

llcloudstudio/terraform-google-external-cloudrun-byo-domain

resource "google_compute_ssl_policy" "primary" {
  name            = local.SSL_CERT_NAME
  project         = data.google_project.primary.number
  profile         = "MODERN"
  min_tls_version = "TLS_1_2"
  lifecycle {

Security Best Practices for google_compute_ssl_policy

There is 1 setting in google_compute_ssl_policy that should be taken care of for security reasons. The following section explain an overview and example code.

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

Parameters

• creation_timestamp optional computed - string

Creation timestamp in RFC3339 text format.

• custom_features optional - set of string

Profile specifies the set of SSL features that can be used by the load balancer when negotiating SSL with clients. This can be one of 'COMPATIBLE', 'MODERN', 'RESTRICTED', or 'CUSTOM'. If using 'CUSTOM', the set of SSL features to enable must be specified in the 'customFeatures' field. See the official documentation for which ciphers are available to use. Note: this argument must be present when using the 'CUSTOM' profile. This argument must not be present when using any other profile.

• description optional - string

An optional description of this resource.

• enabled_features optional computed - set of string

The list of features enabled in the SSL policy.

• fingerprint optional computed - string

Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking.

• id optional computed - string
• min_tls_version optional - string

The minimum version of SSL protocol that can be used by the clients to establish a connection with the load balancer. Default value: "TLS_1_0" Possible values: ["TLS_1_0", "TLS_1_1", "TLS_1_2"]

• name required - string

Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression 'a-z?' which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

• profile optional - string

Profile specifies the set of SSL features that can be used by the load balancer when negotiating SSL with clients. If using 'CUSTOM', the set of SSL features to enable must be specified in the 'customFeatures' field. See the official documentation for information on what cipher suites each profile provides. If 'CUSTOM' is used, the 'custom_features' attribute must be set. Default value: "COMPATIBLE" Possible values: ["COMPATIBLE", "MODERN", "RESTRICTED", "CUSTOM"]

• project optional computed - string
• self_link optional computed - string
• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string

Explanation in Terraform Registry

Represents a SSL policy. SSL policies give you the ability to control the features of SSL that your SSL proxy or HTTPS load balancer negotiates. To get more information about SslPolicy, see:

• API documentation
• How-to Guides
  • Using SSL Policies

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

google_compute_instance

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.