diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index def6a3eb9b29c4ca801a50a62378afa7ccf1389b..e05805fee58159f1e941cb5c0973f2988422f618 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,16 +1,16 @@
 include:
   - project: "uis/devops/continuous-delivery/ci-templates"
     file: "/terraform-module.yml"
-    ref: "v3.7.0"
+    ref: "v4.2.0"
   - project: "uis/devops/continuous-delivery/ci-templates"
     file: "/pre-commit.yml"
-    ref: "v3.7.0"
+    ref: "v4.2.0"
   - project: "uis/devops/continuous-delivery/ci-templates"
     file: "/auto-devops/release-it.yml"
-    ref: "v3.7.0"
+    ref: "v4.2.0"
   - project: "uis/devops/continuous-delivery/ci-templates"
     file: "/commitlint.yml"
-    ref: "v3.7.0"
+    ref: "v4.2.0"
 
 variables:
   LOGAN_IMAGE: registry.gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/logan-terraform:1.6
diff --git a/README.md b/README.md
index d7773a5a4db9a62050fd8d93b5e03f8f81ead19d..21e4f33720d1c57fbfb8b8a140194cbd4c43b27a 100644
--- a/README.md
+++ b/README.md
@@ -70,7 +70,7 @@ For more information on how the pre-deploy Cloud Run job works see the
 | <a name="input_encryption_key"></a> [encryption\_key](#input\_encryption\_key) | The ID of a customer managed encryption key (CMEK) to use to encrypt this<br>container image. | `string` | `null` | no |
 | <a name="input_execution_environment"></a> [execution\_environment](#input\_execution\_environment) | The sandbox environment to host this revision. Possible values are<br>EXECUTION\_ENVIRONMENT\_GEN1, and EXECUTION\_ENVIRONMENT\_GEN2. | `string` | `"EXECUTION_ENVIRONMENT_GEN1"` | no |
 | <a name="input_grant_sql_client_role_to_webapp_sa"></a> [grant\_sql\_client\_role\_to\_webapp\_sa](#input\_grant\_sql\_client\_role\_to\_webapp\_sa) | When set to true the roles/cloudsql.client role will be granted to the webapp<br>service account at the project level to allow it to connect to Cloud SQL. | `bool` | `false` | no |
-| <a name="input_ingress"></a> [ingress](#input\_ingress) | The ingress setting for the Cloud Run service. Possible values are<br>INGRESS\_TRAFFIC\_ALL, INGRESS\_TRAFFIC\_INTERNAL\_ONLY, and<br>INGRESS\_TRAFFIC\_INTERNAL\_LOAD\_BALANCER.<br><br>If var.use\_load\_balancer == true, the provided var.ingress will be ignored and<br>the ingress will be set automatically to<br>"INGRESS\_TRAFFIC\_INTERNAL\_LOAD\_BALANCER". | `string` | `"INGRESS_TRAFFIC_ALL"` | no |
+| <a name="input_ingress"></a> [ingress](#input\_ingress) | The ingress setting for the Cloud Run service. Possible values are<br>INGRESS\_TRAFFIC\_ALL, INGRESS\_TRAFFIC\_INTERNAL\_ONLY, and<br>INGRESS\_TRAFFIC\_INTERNAL\_LOAD\_BALANCER. | `string` | `null` | no |
 | <a name="input_launch_stage"></a> [launch\_stage](#input\_launch\_stage) | The launch stage for the Cloud Run service. Possible values are UNIMPLEMENTED,<br>PRELAUNCH, EARLY\_ACCESS, ALPHA, BETA, GA, and DEPRECATED. | `string` | `"GA"` | no |
 | <a name="input_max_instance_request_concurrency"></a> [max\_instance\_request\_concurrency](#input\_max\_instance\_request\_concurrency) | Sets the maximum number of requests that each serving instance can receive. | `number` | `null` | no |
 | <a name="input_min_ports_per_vm"></a> [min\_ports\_per\_vm](#input\_min\_ports\_per\_vm) | When using Cloud NAT to provide an egress route, Cloud NAT's minimum ports per<br>VM can be configured to determine how many concurrent connections can be<br>established to the same destination IP address and port. | `number` | `64` | no |
diff --git a/locals.tf b/locals.tf
index 868e37a2354bc4d2bb456eca2daf32a2e73cc648..91f03e9ffcfa64203b6904e0e84f10995720256f 100644
--- a/locals.tf
+++ b/locals.tf
@@ -4,7 +4,9 @@ locals {
   # Project containing existing Cloud SQL instance.
   sql_instance_project = coalesce(var.sql_instance_project, var.project)
 
-  ingress = var.enable_load_balancer ? "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER" : var.ingress
+  ingress = var.enable_load_balancer && var.ingress == null ? "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER" : (
+    var.ingress == null ? "INGRESS_TRAFFIC_ALL" : var.ingress
+  )
 
   # Whether we should monitor the custom domain - only possible if there are a dns names set and unauthenticated
   # invocation is enabled.
diff --git a/tests/load_balancer.tftest.hcl b/tests/load_balancer.tftest.hcl
index ed47d2f59ce53ea6c089b64f969ceb45ebd585af..5801db0d2c83d079fe59eef04a4eac3c9cfe1b92 100644
--- a/tests/load_balancer.tftest.hcl
+++ b/tests/load_balancer.tftest.hcl
@@ -101,3 +101,24 @@ run "test_service_with_default_variable_values_and_load_balancer_enabled" {
     error_message = "A https proxy resource should be created by the load balancer module."
   }
 }
+
+run "test_service_with_load_balancer_enabled_and_ingress_set_to_allow_all" {
+  variables {
+    name                 = run.setup.random_name
+    enable_load_balancer = true
+    ingress              = "INGRESS_TRAFFIC_ALL"
+    dns_names = {
+      webapp = "${run.setup.random_name}.test.example.gcp.uis.cam.ac.uk"
+    }
+    containers = {
+      webapp = {
+        image = "us-docker.pkg.dev/cloudrun/container/hello"
+      }
+    }
+  }
+
+  assert {
+    condition     = google_cloud_run_v2_service.webapp.ingress == "INGRESS_TRAFFIC_ALL"
+    error_message = "Ingress should be 'INGRESS_TRAFFIC_ALL'."
+  }
+}
diff --git a/variables.tf b/variables.tf
index 698d8b3e3acafc63b8364456fa07c5cf66aa556f..9c651fce16fee349f990d938e2bd139914316e7d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -48,13 +48,9 @@ variable "ingress" {
 The ingress setting for the Cloud Run service. Possible values are
 INGRESS_TRAFFIC_ALL, INGRESS_TRAFFIC_INTERNAL_ONLY, and
 INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER.
-
-If var.use_load_balancer == true, the provided var.ingress will be ignored and
-the ingress will be set automatically to
-"INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER".
 EOI
   type        = string
-  default     = "INGRESS_TRAFFIC_ALL"
+  default     = null
 }
 
 variable "launch_stage" {