Add SSL policies to HTTPS proxies in network configuration

[jakubno]

Note

Adds SSL policies and attaches them to HTTPS proxies for main and ingress load balancers, enforcing MODERN profile with minimum TLS 1.2.

• Network (GCP HTTPS LB):
  • Add google_compute_ssl_policy in network/main.tf and network/ingress.tf (profile: MODERN, min TLS: TLS_1_2).
  • Attach ssl_policy to google_compute_target_https_proxy.default and .ingress to enforce the policy.

^{Written by Cursor Bugbot for commit 179e8d3. This will update automatically on new commits. Configure here.}

[linear]

ENG-3287 Setup ssl policy in GCP load balancers

[claude]

Code Review

Potential Issues:

1. Missing certificate_map dependency in ingress.tf: The SSL policy references google_certificate_manager_certificate_map.certificate_map from the parent module, but Terraform may not properly track the dependency chain. Consider adding explicit depends_on to the HTTPS proxy.

2. Resource naming collision risk: SSL policy names use prefix variables. Verify prefixes are properly set across all environments to avoid collisions.

3. TLS 1.2 minimum may be too permissive: Some compliance standards (PCI DSS 4.0, HIPAA) are moving toward TLS 1.3. Consider if stricter settings are needed.

Performance Considerations:

4. MODERN profile cipher overhead: Stronger cipher suites may add 1-3ms per TLS handshake. Monitor WebSocket connection times to sandboxes after deployment.

Security Concerns:

5. TLS 1.2 allows weak ciphers: Consider TLS 1.3 minimum if client compatibility allows, or document why TLS 1.2 is required.

6. No explicit cipher control: MODERN profile is good but GCP may change included ciphers. For sensitive workloads, use custom_features for explicit cipher suite control.

Recommendation: Test in staging and monitor TLS handshake latency, client compatibility, and Cloud Armor logs.