Link Search Menu Expand Document

Legacy metadata endpoints enabled.

Explanation

The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers.

This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata.

Unless specifically required, we recommend you disable these legacy APIs.

When setting the metadata block, the default value for disable-legacy-endpoints is set to true, they should not be explicitly enabled.

Insecure Example

The following example will fail the GCP007 check.

resource "google_container_cluster" "gke" {
	metadata {
    disable-legacy-endpoints = false
  }
}

Secure Example

The following example will pass the GCP007 check.

resource "google_container_cluster" "gke" {
	metadata {
    disable-legacy-endpoints = true
  }
}