Expose metadata HTTP tokens (#56)

* Add metadata_http_tokens variable

* Auto Format

Co-authored-by: cloudpossebot <[email protected]>
Co-authored-by: alexjurkiewicz <[email protected]>
Co-authored-by: nitro <[email protected]>
Co-authored-by: PePe Amengual <[email protected]>

README.md

@@ -284,6 +284,7 @@ Available targets:
 | <a name="input_load_balancers"></a> [load\_balancers](#input\_load\_balancers) | A list of elastic load balancer names to add to the autoscaling group names. Only valid for classic load balancers. For ALBs, use `target_group_arns` instead | `list(string)` | `[]` | no |
 | <a name="input_max_instance_lifetime"></a> [max\_instance\_lifetime](#input\_max\_instance\_lifetime) | The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds | `number` | `null` | no |
 | <a name="input_max_size"></a> [max\_size](#input\_max\_size) | The maximum size of the autoscale group | `number` | n/a | yes |
+| <a name="input_metadata_http_tokens"></a> [metadata\_http\_tokens](#input\_metadata\_http\_tokens) | Whether or not the metadata service requires session tokens, also referred<br>to as Instance Metadata Service Version 2 (IMDSv2). Can be "optional" or<br>"required". | `string` | `"optional"` | no |
 | <a name="input_metrics_granularity"></a> [metrics\_granularity](#input\_metrics\_granularity) | The granularity to associate with the metrics to collect. The only valid value is 1Minute | `string` | `"1Minute"` | no |
 | <a name="input_min_elb_capacity"></a> [min\_elb\_capacity](#input\_min\_elb\_capacity) | Setting this causes Terraform to wait for this number of instances to show up healthy in the ELB only on creation. Updates will not wait on ELB instance number changes | `number` | `0` | no |
 | <a name="input_min_size"></a> [min\_size](#input\_min\_size) | The minimum size of the autoscale group | `number` | n/a | yes |

docs/terraform.md

@@ -79,6 +79,7 @@
 | <a name="input_load_balancers"></a> [load\_balancers](#input\_load\_balancers) | A list of elastic load balancer names to add to the autoscaling group names. Only valid for classic load balancers. For ALBs, use `target_group_arns` instead | `list(string)` | `[]` | no |
 | <a name="input_max_instance_lifetime"></a> [max\_instance\_lifetime](#input\_max\_instance\_lifetime) | The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds | `number` | `null` | no |
 | <a name="input_max_size"></a> [max\_size](#input\_max\_size) | The maximum size of the autoscale group | `number` | n/a | yes |
+| <a name="input_metadata_http_tokens"></a> [metadata\_http\_tokens](#input\_metadata\_http\_tokens) | Whether or not the metadata service requires session tokens, also referred<br>to as Instance Metadata Service Version 2 (IMDSv2). Can be "optional" or<br>"required". | `string` | `"optional"` | no |
 | <a name="input_metrics_granularity"></a> [metrics\_granularity](#input\_metrics\_granularity) | The granularity to associate with the metrics to collect. The only valid value is 1Minute | `string` | `"1Minute"` | no |
 | <a name="input_min_elb_capacity"></a> [min\_elb\_capacity](#input\_min\_elb\_capacity) | Setting this causes Terraform to wait for this number of instances to show up healthy in the ELB only on creation. Updates will not wait on ELB instance number changes | `number` | `0` | no |
 | <a name="input_min_size"></a> [min\_size](#input\_min\_size) | The minimum size of the autoscale group | `number` | n/a | yes |

examples/complete/main.tf

@@ -37,6 +37,7 @@ module "autoscale_group" {
   wait_for_capacity_timeout   = var.wait_for_capacity_timeout
   associate_public_ip_address = true
   user_data_base64            = base64encode(local.userdata)
+  metadata_http_tokens        = "required"
 
   tags = {
     Tier              = "1"

main.tf

@@ -97,6 +97,17 @@ resource "aws_launch_template" "default" {
     security_groups             = var.security_group_ids
   }
 
+  metadata_options {
+    http_endpoint               = "enabled"
+    http_tokens                 = var.metadata_http_tokens
+    http_put_response_hop_limit = 1
+  }
+
+  tag_specifications {
+    resource_type = "volume"
+    tags          = module.this.tags
+  }
+
   dynamic "tag_specifications" {
     for_each = var.tag_specifications_resource_types
 

variables.tf

@@ -115,7 +115,7 @@ variable "instance_refresh" {
   default = null
 }
 
-variable mixed_instances_policy {
+variable "mixed_instances_policy" {
   description = "policy to used mixed group of on demand/spot of differing types. Launch template is automatically generated. https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html#mixed_instances_policy-1"
 
   type = object({
@@ -438,6 +438,21 @@ variable "use_name_prefix" {
   description = "If `true`, this will use the asg argument `name_prefix` instead of `name`"
 }
 
+variable "metadata_http_tokens" {
+  type        = string
+  default     = "optional"
+  description = <<-EOT
+    Whether or not the metadata service requires session tokens, also referred
+    to as Instance Metadata Service Version 2 (IMDSv2). Can be "optional" or
+    "required".
+  EOT
+
+  validation {
+    condition     = var.metadata_http_tokens == "optional" || var.metadata_http_tokens == "required"
+    error_message = "Only 'optional' and 'required' are supported as values."
+  }
+}
+
 variable "tag_specifications_resource_types" {
   type        = list(string)
   default     = ["instance", "volume"]
@@ -449,3 +464,4 @@ variable "max_instance_lifetime" {
   default     = null
   description = "The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds"
 }
+