Legacy metadata endpoints enabled.
Explanation
The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers.
This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata.
Unless specifically required, we recommend you disable these legacy APIs.
When setting the metadata
block, the default value for disable-legacy-endpoints
is set to true, they should not be explicitly enabled.
Insecure Example
The following example will fail the GCP007 check.
resource "google_container_cluster" "gke" {
metadata {
disable-legacy-endpoints = false
}
}
Secure Example
The following example will pass the GCP007 check.
resource "google_container_cluster" "gke" {
metadata {
disable-legacy-endpoints = true
}
}