Within Google Compute Instances, the functionality for OSLogin controls the ability to use IAM roles for access, including the ability to use two-factor authentication. This setting is configured using the instance metadata and can be configured at the project or instance level. For more information on using the OSLogin functionality, see the GCP documentation.
References:
https://cloud.google.com/compute/docs/oslogin/set-up-oslogin
OSLogin with MFA can either be set at the project or the instance level using metadata. The metadata would use a key enable-oslogin-2fa and value TRUE. To set this, determine whether it needs to be at the project or instance level, then follow the instructions in the GCP documentation (below). It is best to set this at the project level so that it is centrally managed.
In Terraform -
References:
https://cloud.google.com/compute/docs/oslogin/set-up-oslogin
https://cloud.google.com/compute/docs/metadata/setting-custom-metadata#set-projectwide
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance