GCP007 - Legacy metadata endpoints enabled.

Written by tfsec

Explanation

The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers.

This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata.

Unless specifically required, we recommend you disable these legacy APIs.

When setting the metadata block, the default value for disable-legacy-endpoints is set to true, they should not be explicitly enabled.

Insecure Example

The following example will fail the GCP007 check.

resource "google_container_cluster" "bad_example" {
	metadata {
    disable-legacy-endpoints = false
  }
}

Secure Example

The following example will pass the GCP007 check.

resource "google_container_cluster" "good_example" {
	metadata {
    disable-legacy-endpoints = true
  }
}

Related Links

• https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#protect_node_metadata_default_for_112

• https://www.terraform.io/docs/providers/google/r/container_cluster.html#metadata

---