Skip to content

no-oslogin-override

Explanation

OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked.

Possible Impact

Access via SSH key cannot be revoked automatically when an IAM user is removed.

Suggested Resolution

Enable OS Login at project level and remove instance-level overrides

Insecure Example

The following example will fail the google-compute-no-oslogin-override check.

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  // Local SSD disk
  scratch_disk {
    interface = "SCSI"
  }

  metadata = {
    enable-oslogin = false
  }
}

Secure Example

The following example will pass the google-compute-no-oslogin-override check.

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  // Local SSD disk
  scratch_disk {
    interface = "SCSI"
  }

  metadata = {
  }
}