diff --git a/main.tf b/main.tf index 51e5200..b1be649 100644 --- a/main.tf +++ b/main.tf @@ -276,11 +276,11 @@ resource "aws_launch_template" "default" { user_data = base64encode(var.user_data) monitoring { - enabled = true + enabled = var.monitoring_enabled } network_interfaces { - associate_public_ip_address = false + associate_public_ip_address = var.associate_public_ip_address delete_on_termination = true security_groups = concat(var.additional_security_group_ids, [aws_security_group.default.id]) } @@ -302,6 +302,12 @@ resource "aws_launch_template" "default" { lifecycle { create_before_destroy = true } + + metadata_options { + http_endpoint = var.metadata_http_endpoint_enabled ? "enabled" : "disabled" + http_tokens = var.metadata_imdsv2_enabled ? "required" : "optional" + http_protocol_ipv6 = var.metadata_http_protocol_ipv6_enabled ? "enabled" : "disabled" + } } resource "aws_autoscaling_group" "default" { diff --git a/variables.tf b/variables.tf index fe01e28..44a29be 100644 --- a/variables.tf +++ b/variables.tf @@ -62,6 +62,40 @@ variable "additional_security_group_ids" { default = [] } +variable "monitoring_enabled" { + description = "Enable detailed monitoring of instance" + type = bool + default = true +} + +variable "associate_public_ip_address" { + description = "Associate public IP address" + type = bool + # default should fall back to subnet setting + default = null +} + +variable "metadata_http_endpoint_enabled" { + description = "Whether or not to enable the metadata http endpoint" + type = bool + default = true +} + +variable "metadata_imdsv2_enabled" { + description = <<-EOT + Whether or not the metadata service requires session tokens, + also referred to as Instance Metadata Service Version 2 (IMDSv2). + EOT + type = bool + default = true +} + +variable "metadata_http_protocol_ipv6_enabled" { + description = "Enable IPv6 metadata endpoint" + type = bool + default = false +} + ###################### ## SESSION LOGGING ## ####################