feat: Disable IMDSv1 per AWS default behavior change (#424)

bryantbiggs · web-flow · commit ce8ae23a15a2 · 2025-03-30T11:10:33.000-05:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.98.0
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
diff --git a/README.md b/README.md
@@ -236,15 +236,15 @@ No modules.
 | <a name="input_key_name"></a> [key\_name](#input\_key\_name) | Key name of the Key Pair to use for the instance; which can be managed using the `aws_key_pair` resource | `string` | `null` | no |
 | <a name="input_launch_template"></a> [launch\_template](#input\_launch\_template) | Specifies a Launch Template to configure the instance. Parameters configured on this resource will override the corresponding parameters in the Launch Template | `map(string)` | `{}` | no |
 | <a name="input_maintenance_options"></a> [maintenance\_options](#input\_maintenance\_options) | The maintenance options for the instance | `any` | `{}` | no |
-| <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Customize the metadata options of the instance | `map(string)` | <pre>{<br/>  "http_endpoint": "enabled",<br/>  "http_put_response_hop_limit": 1,<br/>  "http_tokens": "optional"<br/>}</pre> | no |
+| <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Customize the metadata options of the instance | `map(string)` | <pre>{<br/>  "http_endpoint": "enabled",<br/>  "http_put_response_hop_limit": 1,<br/>  "http_tokens": "required"<br/>}</pre> | no |
 | <a name="input_monitoring"></a> [monitoring](#input\_monitoring) | If true, the launched EC2 instance will have detailed monitoring enabled | `bool` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be used on EC2 instance created | `string` | `""` | no |
 | <a name="input_network_interface"></a> [network\_interface](#input\_network\_interface) | Customize network interfaces to be attached at instance boot time | `list(map(string))` | `[]` | no |
 | <a name="input_placement_group"></a> [placement\_group](#input\_placement\_group) | The Placement Group to start the instance in | `string` | `null` | no |
 | <a name="input_private_dns_name_options"></a> [private\_dns\_name\_options](#input\_private\_dns\_name\_options) | Customize the private DNS name options of the instance | `map(string)` | `{}` | no |
 | <a name="input_private_ip"></a> [private\_ip](#input\_private\_ip) | Private IP address to associate with the instance in a VPC | `string` | `null` | no |
 | <a name="input_putin_khuylo"></a> [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
-| <a name="input_root_block_device"></a> [root\_block\_device](#input\_root\_block\_device) | Customize details about the root block device of the instance. See [Block Devices](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices) for details | `list(any)` | `[]` | no |
+| <a name="input_root_block_device"></a> [root\_block\_device](#input\_root\_block\_device) | Customize details about the root block device of the instance. See Block Devices below for details | `list(any)` | `[]` | no |
 | <a name="input_secondary_private_ips"></a> [secondary\_private\_ips](#input\_secondary\_private\_ips) | A list of secondary private IPv4 addresses to assign to the instance's primary network interface (eth0) in a VPC. Can only be assigned to the primary network interface (eth0) attached at instance creation, not a pre-existing network interface i.e. referenced in a `network_interface block` | `list(string)` | `null` | no |
 | <a name="input_source_dest_check"></a> [source\_dest\_check](#input\_source\_dest\_check) | Controls if traffic is routed to the instance when the destination address does not match the instance. Used for NAT or VPNs | `bool` | `null` | no |
 | <a name="input_spot_block_duration_minutes"></a> [spot\_block\_duration\_minutes](#input\_spot\_block\_duration\_minutes) | The required duration for the Spot instances, in minutes. This value must be a multiple of 60 (60, 120, 180, 240, 300, or 360) | `number` | `null` | no |
diff --git a/main.tf b/main.tf
@@ -122,7 +122,7 @@ resource "aws_instance" "this" {
 
     content {
       http_endpoint               = try(metadata_options.value.http_endpoint, "enabled")
-      http_tokens                 = try(metadata_options.value.http_tokens, "optional")
+      http_tokens                 = try(metadata_options.value.http_tokens, "required")
       http_put_response_hop_limit = try(metadata_options.value.http_put_response_hop_limit, 1)
       instance_metadata_tags      = try(metadata_options.value.instance_metadata_tags, null)
     }
@@ -300,7 +300,7 @@ resource "aws_instance" "ignore_ami" {
 
     content {
       http_endpoint               = try(metadata_options.value.http_endpoint, "enabled")
-      http_tokens                 = try(metadata_options.value.http_tokens, "optional")
+      http_tokens                 = try(metadata_options.value.http_tokens, "required")
       http_put_response_hop_limit = try(metadata_options.value.http_put_response_hop_limit, 1)
       instance_metadata_tags      = try(metadata_options.value.instance_metadata_tags, null)
     }
@@ -494,7 +494,7 @@ resource "aws_spot_instance_request" "this" {
 
     content {
       http_endpoint               = try(metadata_options.value.http_endpoint, "enabled")
-      http_tokens                 = try(metadata_options.value.http_tokens, "optional")
+      http_tokens                 = try(metadata_options.value.http_tokens, "required")
       http_put_response_hop_limit = try(metadata_options.value.http_put_response_hop_limit, 1)
       instance_metadata_tags      = try(metadata_options.value.instance_metadata_tags, null)
     }
diff --git a/variables.tf b/variables.tf
@@ -160,7 +160,7 @@ variable "metadata_options" {
   default = {
     "http_endpoint"               = "enabled"
     "http_put_response_hop_limit" = 1
-    "http_tokens"                 = "optional"
+    "http_tokens"                 = "required"
   }
 }
 
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -48,7 +48,7 @@ module "wrapper" {
   metadata_options = try(each.value.metadata_options, var.defaults.metadata_options, {
     "http_endpoint"               = "enabled"
     "http_put_response_hop_limit" = 1
-    "http_tokens"                 = "optional"
+    "http_tokens"                 = "required"
   })
   monitoring                          = try(each.value.monitoring, var.defaults.monitoring, null)
   name                                = try(each.value.name, var.defaults.name, "")

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ variable "metadata_options" {`
`160`	`160`	`default = {`
`161`	`161`	`"http_endpoint" = "enabled"`
`162`	`162`	`"http_put_response_hop_limit" = 1`
`163`		`- "http_tokens" = "optional"`
	`163`	`+ "http_tokens" = "required"`
`164`	`164`	`}`
`165`	`165`	`}`
`166`	`166`