backport "feat: IMDSv2 metadata configuration in Launch Templates"

terraform-aws-modules#938 NOTES: Addition of the IMDSv2 metadata configuration block to Launch Templates will cause a diff to be generated for existing Launch Templates on first Terraform apply. The defaults match existing behaviour.
celtra · Jun 28, 2022 · 3749b5d · 3749b5d
1 parent 8e95860
commit 3749b5d
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 10 deletions.
diff --git a/local.tf b/local.tf
@@ -56,15 +56,18 @@ locals {
     service_linked_role_arn       = ""                          # Arn of custom service linked role that Auto Scaling group will use. Useful when you have encrypted EBS
     termination_policies          = []                          # A list of policies to decide how the instances in the auto scale group should be terminated.
     # Settings for launch templates
-    root_block_device_name            = data.aws_ami.eks_worker.root_device_name # Root device name for workers. If non is provided, will assume default AMI was used.
-    root_kms_key_id                   = ""                                       # The KMS key to use when encrypting the root storage device
-    launch_template_version           = "$Latest"                                # The lastest version of the launch template to use in the autoscaling group
-    launch_template_placement_tenancy = "default"                                # The placement tenancy for instances
-    launch_template_placement_group   = ""                                       # The name of the placement group into which to launch the instances, if any.
-    root_encrypted                    = ""                                       # Whether the volume should be encrypted or not
-    eni_delete                        = true                                     # Delete the Elastic Network Interface (ENI) on termination (if set to false you will have to manually delete before destroying)
-    cpu_credits                       = "standard"                               # T2/T3 unlimited mode, can be 'standard' or 'unlimited'. Used 'standard' mode as default to avoid paying higher costs
-    market_type                       = null
+    root_block_device_name               = data.aws_ami.eks_worker.root_device_name # Root device name for workers. If non is provided, will assume default AMI was used.
+    root_kms_key_id                      = ""                                       # The KMS key to use when encrypting the root storage device
+    launch_template_version              = "$Latest"                                # The lastest version of the launch template to use in the autoscaling group
+    launch_template_placement_tenancy    = "default"                                # The placement tenancy for instances
+    launch_template_placement_group      = ""                                       # The name of the placement group into which to launch the instances, if any.
+    root_encrypted                       = ""                                       # Whether the volume should be encrypted or not
+    eni_delete                           = true                                     # Delete the Elastic Network Interface (ENI) on termination (if set to false you will have to manually delete before destroying)
+    cpu_credits                          = "standard"                               # T2/T3 unlimited mode, can be 'standard' or 'unlimited'. Used 'standard' mode as default to avoid paying higher costs
+    market_type                          = null
+    metadata_http_endpoint               = "enabled"  # The state of the metadata service: enabled, disabled.
+    metadata_http_tokens                 = "optional" # If session tokens are required: optional, required.
+    metadata_http_put_response_hop_limit = null       # The desired HTTP PUT response hop limit for instance metadata requests.
     # Settings for launch templates with mixed instances policy
     override_instance_types                  = ["m5.large", "m5a.large", "m5d.large", "m5ad.large"] # A list of override instance types for mixed instances policy
     on_demand_allocation_strategy            = null                                                 # Strategy to use when launching on-demand instances. Valid values: prioritized.

diff --git a/versions.tf b/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.12"
 
   required_providers {
-    aws      = ">= 2.31.0"
+    aws      = ">= 2.55.0"
     local    = ">= 1.2"
     null     = ">= 2.1"
     template = ">= 2.1"

diff --git a/workers_launch_template.tf b/workers_launch_template.tf
@@ -286,6 +286,24 @@ resource "aws_launch_template" "workers_launch_template" {
     ),
   )
 
+  metadata_options {
+    http_endpoint = lookup(
+      var.worker_groups_launch_template[count.index],
+      "metadata_http_endpoint",
+      local.workers_group_defaults["metadata_http_endpoint"],
+    )
+    http_tokens = lookup(
+      var.worker_groups_launch_template[count.index],
+      "metadata_http_tokens",
+      local.workers_group_defaults["metadata_http_tokens"],
+    )
+    http_put_response_hop_limit = lookup(
+      var.worker_groups_launch_template[count.index],
+      "metadata_http_put_response_hop_limit",
+      local.workers_group_defaults["metadata_http_put_response_hop_limit"],
+    )
+  }
+
   credit_specification {
     cpu_credits = lookup(
       var.worker_groups_launch_template[count.index],