---
title: Google Compute SSL policy weak cipher in use
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Google Compute SSL policy weak cipher in use
---

# Google Compute SSL policy weak cipher in use

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-google-compute-ssl-policy-weak-cipher-in-use` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** Medium

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_ssl_policy_module.html)

### Description{% #description %}

Compute SSL policies must enforce a minimum TLS version of `TLS_1_2` to prevent use of older, vulnerable protocol versions and weak cipher suites. The `min_tls_version` property on `google.cloud.gcp_compute_ssl_policy` (or `gcp_compute_ssl_policy`) resources must be defined and set to `TLS_1_2`. Resources that omit `min_tls_version` or set it to any other value are flagged.

```yaml
- name: Create SSL policy with TLS 1.2 minimum
  google.cloud.gcp_compute_ssl_policy:
    name: my-ssl-policy
    profile: MODERN
    min_tls_version: TLS_1_2
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: create a SSL policy
  google.cloud.gcp_compute_ssl_policy:
    name: test_object
    profile: CUSTOM
    min_tls_version: TLS_1_2
    custom_features:
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: create a SSL policy
  google.cloud.gcp_compute_ssl_policy:
    name: test_object
    profile: CUSTOM
    custom_features:
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a SSL policy2
  google.cloud.gcp_compute_ssl_policy:
    name: test_object2
    profile: CUSTOM
    min_tls_version: TLS_1_1
    custom_features:
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
```