terraform.gcp.security.gcp-compute-os-login.gcp-compute-os-login
semgrepAuthor
unknown
Download Count*
License
Ensure that no instance in the project overrides the project setting for enabling OSLogin (OSLogin needs to be enabled in project metadata for all instances)
Run Locally
Run in CI
Defintion
rules:
- id: gcp-compute-os-login
patterns:
- pattern: resource
- pattern-inside: |
resource "google_compute_instance" "..." {
...
metadata = {
enable-oslogin = false
}
...
}
message: "Ensure that no instance in the project overrides the project setting
for enabling OSLogin (OSLogin needs to be enabled in project metadata for
all instances)\t"
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
cwe:
- "CWE-284: Improper Access Control"
category: security
technology:
- terraform
- gcp
references:
- https://docs.bridgecrew.io/docs/google-cloud-policy-index
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: WARNING
Examples
gcp-compute-os-login.tf
# fail
# ruleid: gcp-compute-os-login
resource "google_compute_instance" "fail" {
name = "test"
machine_type = "n1-standard-1"
zone = "us-central1-a"
boot_disk {}
metadata = {
enable-oslogin = false
}
}
# ok: gcp-compute-os-login
resource "google_compute_instance" "success1" {
name = "test"
machine_type = "n1-standard-1"
zone = "us-central1-a"
boot_disk {}
metadata = {
foo = "bar"
}
}
# ok: gcp-compute-os-login
resource "google_compute_instance" "success2" {
name = "test"
machine_type = "n1-standard-1"
zone = "us-central1-a"
boot_disk {}
metadata = {
enable-oslogin = true
}
}Short Link: https://sg.run/lbdG