This check ensures that the enable-oslogin metadata attribute is set to true on Google Compute Engine VM instances. Disabling OS Login (enable-oslogin = "FALSE") allows users to manage SSH keys directly in instance metadata, which can lead to inconsistent access controls and make it harder to track or revoke user access. By setting enable-oslogin to true, as shown below, you centralize SSH access management through IAM, improving auditability and reducing the risk of unauthorized access.
metadata = {
enable-oslogin = true
}
Compliant Code Examples
resource"google_compute_instance""negative1"{name="test"machine_type="e2-medium"zone="us-central1-a"tags=["foo","bar"]boot_disk{initialize_params{image="debian-cloud/debian-9"}} // Local SSD disk
scratch_disk{interface="SCSI"}network_interface{network="default"access_config{ // Ephemeral IP
}}metadata={ #... some other metadata
# or if not undefined
enable-oslogin=true}metadata_startup_script="echo hi > /test.txt"service_account{scopes=["userinfo-email","compute-ro","storage-ro"]}}
Non-Compliant Code Examples
resource"google_compute_instance""positive1"{name="test"machine_type="e2-medium"zone="us-central1-a"tags=["foo","bar"]boot_disk{initialize_params{image="debian-cloud/debian-9"}} // Local SSD disk
scratch_disk{interface="SCSI"}network_interface{network="default"access_config{ // Ephemeral IP
}}metadata={ #... some other metadata
enable-oslogin="FALSE"}metadata_startup_script="echo hi > /test.txt"service_account{scopes=["userinfo-email","compute-ro","storage-ro"]}}
1
2
rulesets:- Terraform / GCP # Rules to enforce / GCP.
個別デモのリクエスト
Datadogを開始
Ask AI
AI-generated responses may be inaccurate. Verify important info.
