fix: Allow settting metadata endpoint options so users can configure or disable (#657)

bryantbiggs · web-flow · commit cc3c024d4529 · 2022-06-23T07:31:46.000-04:00
diff --git a/examples/node-groups/managed-node-groups/main.tf b/examples/node-groups/managed-node-groups/main.tf
@@ -134,6 +134,10 @@ module "eks_blueprints" {
       eni_delete        = true
       public_ip         = false # Use this to enable public IP for EC2 instances; only for public subnets used in launch templates
 
+      http_endpoint               = "enabled"
+      http_tokens                 = "optional"
+      http_put_response_hop_limit = 3
+
       # pre_userdata can be used in both cases where you provide custom_ami_id or ami_type
       pre_userdata = <<-EOT
         yum install -y amazon-ssm-agent
diff --git a/examples/node-groups/self-managed-node-groups/main.tf b/examples/node-groups/self-managed-node-groups/main.tf
@@ -78,6 +78,8 @@ module "eks_blueprints" {
       public_ip              = false
       enable_monitoring      = false
 
+      enable_metadata_options = false
+
       pre_userdata = <<-EOT
         yum install -y amazon-ssm-agent
         systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent
diff --git a/locals.tf b/locals.tf
@@ -9,10 +9,6 @@ locals {
     # aws_partition
     aws_partition_id         = data.aws_partition.current.id
     aws_partition_dns_suffix = data.aws_partition.current.dns_suffix
-    # http details
-    http_endpoint               = "enabled"
-    http_tokens                 = "required"
-    http_put_response_hop_limit = 2 # Hop limit should be between 2 and 64 for IMDSv2 instance metadata services
   }
 
   eks_cluster_id     = module.aws_eks.cluster_id
@@ -39,11 +35,6 @@ locals {
     # Worker Security Group
     worker_security_group_ids = local.worker_security_group_ids
 
-    # Http config
-    http_endpoint               = local.context.http_endpoint
-    http_tokens                 = local.context.http_tokens
-    http_put_response_hop_limit = local.context.http_put_response_hop_limit
-
     # Data sources
     aws_partition_dns_suffix = local.context.aws_partition_dns_suffix
     aws_partition_id         = local.context.aws_partition_id
diff --git a/modules/aws-eks-managed-node-groups/README.md b/modules/aws-eks-managed-node-groups/README.md
@@ -46,7 +46,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_context"></a> [context](#input\_context) | Input configuration for the Node groups | <pre>object({<br>    # EKS Cluster Config<br>    eks_cluster_id    = string<br>    cluster_ca_base64 = string<br>    cluster_endpoint  = string<br>    cluster_version   = string<br>    # VPC Config<br>    vpc_id             = string<br>    private_subnet_ids = list(string)<br>    public_subnet_ids  = list(string)<br>    # Security Groups<br>    worker_security_group_ids = list(string)<br><br>    # Http config<br>    http_endpoint               = string<br>    http_tokens                 = string<br>    http_put_response_hop_limit = number<br>    # Data sources<br>    aws_partition_dns_suffix = string<br>    aws_partition_id         = string<br>    #IAM<br>    iam_role_path                 = string<br>    iam_role_permissions_boundary = string<br>    # Tags<br>    tags = map(string)<br>    # Service IPV4/IPV6 CIDR<br>    service_ipv6_cidr = string<br>    service_ipv4_cidr = string<br>  })</pre> | n/a | yes |
+| <a name="input_context"></a> [context](#input\_context) | Input configuration for the Node groups | <pre>object({<br>    # EKS Cluster Config<br>    eks_cluster_id    = string<br>    cluster_ca_base64 = string<br>    cluster_endpoint  = string<br>    cluster_version   = string<br>    # VPC Config<br>    vpc_id             = string<br>    private_subnet_ids = list(string)<br>    public_subnet_ids  = list(string)<br>    # Security Groups<br>    worker_security_group_ids = list(string)<br><br>    # Data sources<br>    aws_partition_dns_suffix = string<br>    aws_partition_id         = string<br>    #IAM<br>    iam_role_path                 = string<br>    iam_role_permissions_boundary = string<br>    # Tags<br>    tags = map(string)<br>    # Service IPV4/IPV6 CIDR<br>    service_ipv6_cidr = string<br>    service_ipv4_cidr = string<br>  })</pre> | n/a | yes |
 | <a name="input_managed_ng"></a> [managed\_ng](#input\_managed\_ng) | Map of maps of `eks_node_groups` to create | `any` | `{}` | no |
 
 ## Outputs
diff --git a/modules/aws-eks-managed-node-groups/managed-launch-templates.tf b/modules/aws-eks-managed-node-groups/managed-launch-templates.tf
@@ -33,10 +33,16 @@ resource "aws_launch_template" "managed_node_groups" {
     enabled = local.managed_node_group["enable_monitoring"]
   }
 
-  metadata_options {
-    http_endpoint               = try(var.context.http_endpoint, "enabled")
-    http_tokens                 = try(var.context.http_tokens, "required") #tfsec:ignore:aws-autoscaling-enforce-http-token-imds
-    http_put_response_hop_limit = try(var.context.http_put_response_hop_limit, 2)
+  dynamic "metadata_options" {
+    for_each = try(var.managed_ng.enable_metadata_options, true) ? [1] : []
+
+    content {
+      http_endpoint               = try(var.managed_ng.http_endpoint, "enabled")
+      http_tokens                 = try(var.managed_ng.http_tokens, "required") #tfsec:ignore:aws-autoscaling-enforce-http-token-imds
+      http_put_response_hop_limit = try(var.managed_ng.http_put_response_hop_limit, 2)
+      http_protocol_ipv6          = try(var.managed_ng.http_protocol_ipv6, null)
+      instance_metadata_tags      = try(var.managed_ng.instance_metadata_tags, null)
+    }
   }
 
   tag_specifications {
diff --git a/modules/aws-eks-managed-node-groups/variables.tf b/modules/aws-eks-managed-node-groups/variables.tf
@@ -19,10 +19,6 @@ variable "context" {
     # Security Groups
     worker_security_group_ids = list(string)
 
-    # Http config
-    http_endpoint               = string
-    http_tokens                 = string
-    http_put_response_hop_limit = number
     # Data sources
     aws_partition_dns_suffix = string
     aws_partition_id         = string
diff --git a/modules/aws-eks-self-managed-node-groups/README.md b/modules/aws-eks-self-managed-node-groups/README.md
@@ -46,7 +46,7 @@ Checkout the usage docs for Self-managed Node groups [examples](https://aws-ia.g
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_context"></a> [context](#input\_context) | Input configuration for the Node groups | <pre>object({<br>    # EKS Cluster Config<br>    eks_cluster_id    = string<br>    cluster_ca_base64 = string<br>    cluster_endpoint  = string<br>    cluster_version   = string<br>    # VPC Config<br>    vpc_id             = string<br>    private_subnet_ids = list(string)<br>    public_subnet_ids  = list(string)<br>    # Security Groups<br>    worker_security_group_ids = list(string)<br>    # Http config<br>    http_endpoint               = string<br>    http_tokens                 = string<br>    http_put_response_hop_limit = number<br>    # Data sources<br>    aws_partition_dns_suffix = string<br>    aws_partition_id         = string<br><br>    iam_role_path                 = string<br>    iam_role_permissions_boundary = string<br>    # Tags<br>    tags = map(string)<br>    # Service IPV4/IPV6 CIDR<br>    service_ipv6_cidr = string<br>    service_ipv4_cidr = string<br>  })</pre> | n/a | yes |
+| <a name="input_context"></a> [context](#input\_context) | Input configuration for the Node groups | <pre>object({<br>    # EKS Cluster Config<br>    eks_cluster_id    = string<br>    cluster_ca_base64 = string<br>    cluster_endpoint  = string<br>    cluster_version   = string<br>    # VPC Config<br>    vpc_id             = string<br>    private_subnet_ids = list(string)<br>    public_subnet_ids  = list(string)<br>    # Security Groups<br>    worker_security_group_ids = list(string)<br>    # Data sources<br>    aws_partition_dns_suffix = string<br>    aws_partition_id         = string<br><br>    iam_role_path                 = string<br>    iam_role_permissions_boundary = string<br>    # Tags<br>    tags = map(string)<br>    # Service IPV4/IPV6 CIDR<br>    service_ipv6_cidr = string<br>    service_ipv4_cidr = string<br>  })</pre> | n/a | yes |
 | <a name="input_self_managed_ng"></a> [self\_managed\_ng](#input\_self\_managed\_ng) | Map of maps of `eks_self_managed_node_groups` to create | `any` | `{}` | no |
 
 ## Outputs
diff --git a/modules/aws-eks-self-managed-node-groups/self-managed-launch-templates.tf b/modules/aws-eks-self-managed-node-groups/self-managed-launch-templates.tf
@@ -17,9 +17,12 @@ module "launch_template_self_managed_ng" {
       kubelet_extra_args   = local.self_managed_node_group["kubelet_extra_args"]
       monitoring           = local.self_managed_node_group["enable_monitoring"]
 
-      http_endpoint               = var.context.http_endpoint
-      http_tokens                 = var.context.http_tokens
-      http_put_response_hop_limit = var.context.http_put_response_hop_limit
+      enable_metadata_options     = try(var.self_managed_ng.enable_metadata_options, true)
+      http_endpoint               = try(var.self_managed_ng.http_endpoint, "enabled")
+      http_tokens                 = try(var.self_managed_ng.http_tokens, "required")
+      http_put_response_hop_limit = try(var.self_managed_ng.http_put_response_hop_limit, 2)
+      http_protocol_ipv6          = try(var.self_managed_ng.http_protocol_ipv6, null)
+      instance_metadata_tags      = try(var.self_managed_ng.instance_metadata_tags, null)
 
       service_ipv6_cidr = var.context.service_ipv6_cidr
       service_ipv4_cidr = var.context.service_ipv4_cidr
diff --git a/modules/aws-eks-self-managed-node-groups/variables.tf b/modules/aws-eks-self-managed-node-groups/variables.tf
@@ -18,10 +18,6 @@ variable "context" {
     public_subnet_ids  = list(string)
     # Security Groups
     worker_security_group_ids = list(string)
-    # Http config
-    http_endpoint               = string
-    http_tokens                 = string
-    http_put_response_hop_limit = number
     # Data sources
     aws_partition_dns_suffix = string
     aws_partition_id         = string
diff --git a/modules/launch-templates/README.md b/modules/launch-templates/README.md
@@ -122,7 +122,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_eks_cluster_id"></a> [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster ID | `string` | n/a | yes |
-| <a name="input_launch_template_config"></a> [launch\_template\_config](#input\_launch\_template\_config) | Launch template configuration | <pre>map(object({<br>    ami                    = string<br>    launch_template_os     = optional(string)<br>    launch_template_prefix = string<br>    instance_type          = optional(string)<br>    capacity_type          = optional(string)<br>    iam_instance_profile   = optional(string)<br>    vpc_security_group_ids = optional(list(string)) # conflicts with network_interfaces<br><br>    network_interfaces = optional(list(object({<br>      public_ip       = optional(bool)<br>      security_groups = optional(list(string))<br>    })))<br><br>    block_device_mappings = list(object({<br>      device_name           = string<br>      volume_type           = string<br>      volume_size           = string<br>      delete_on_termination = optional(bool)<br>      encrypted             = optional(bool)<br>      kms_key_id            = optional(string)<br>      iops                  = optional(string)<br>      throughput            = optional(string)<br>    }))<br><br>    format_mount_nvme_disk = optional(bool)<br>    pre_userdata           = optional(string)<br>    bootstrap_extra_args   = optional(string)<br>    post_userdata          = optional(string)<br>    kubelet_extra_args     = optional(string)<br><br>    http_endpoint               = optional(string)<br>    http_tokens                 = optional(string)<br>    http_put_response_hop_limit = optional(number)<br><br>    service_ipv6_cidr = optional(string)<br>    service_ipv4_cidr = optional(string)<br><br>    monitoring = optional(bool)<br>  }))</pre> | n/a | yes |
+| <a name="input_launch_template_config"></a> [launch\_template\_config](#input\_launch\_template\_config) | Launch template configuration | <pre>map(object({<br>    ami                    = string<br>    launch_template_os     = optional(string)<br>    launch_template_prefix = string<br>    instance_type          = optional(string)<br>    capacity_type          = optional(string)<br>    iam_instance_profile   = optional(string)<br>    vpc_security_group_ids = optional(list(string)) # conflicts with network_interfaces<br><br>    network_interfaces = optional(list(object({<br>      public_ip       = optional(bool)<br>      security_groups = optional(list(string))<br>    })))<br><br>    block_device_mappings = list(object({<br>      device_name           = string<br>      volume_type           = string<br>      volume_size           = string<br>      delete_on_termination = optional(bool)<br>      encrypted             = optional(bool)<br>      kms_key_id            = optional(string)<br>      iops                  = optional(string)<br>      throughput            = optional(string)<br>    }))<br><br>    format_mount_nvme_disk = optional(bool)<br>    pre_userdata           = optional(string)<br>    bootstrap_extra_args   = optional(string)<br>    post_userdata          = optional(string)<br>    kubelet_extra_args     = optional(string)<br><br>    enable_metadata_options     = optional(bool)<br>    http_endpoint               = optional(string)<br>    http_tokens                 = optional(string)<br>    http_put_response_hop_limit = optional(number)<br><br>    service_ipv6_cidr = optional(string)<br>    service_ipv4_cidr = optional(string)<br><br>    monitoring = optional(bool)<br>  }))</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no |
 
 ## Outputs
diff --git a/modules/launch-templates/locals.tf b/modules/launch-templates/locals.tf
@@ -35,14 +35,11 @@ locals {
     post_userdata        = ""
     kubelet_extra_args   = ""
 
-    http_endpoint               = "enabled"
-    http_tokens                 = "required"
-    http_put_response_hop_limit = 2
-
     service_ipv6_cidr      = ""
     service_ipv4_cidr      = ""
     format_mount_nvme_disk = false
 
-    monitoring = true
+    monitoring              = true
+    enable_metadata_options = true
   })
 }
diff --git a/modules/launch-templates/main.tf b/modules/launch-templates/main.tf
@@ -70,16 +70,23 @@ resource "aws_launch_template" "this" {
   }
 
   dynamic "monitoring" {
-    for_each = each.value.monitoring ? { enabled = true } : {}
+    for_each = each.value.monitoring ? [1] : []
+
     content {
       enabled = true
     }
   }
 
-  metadata_options {
-    http_endpoint               = each.value.http_endpoint
-    http_tokens                 = each.value.http_tokens
-    http_put_response_hop_limit = each.value.http_put_response_hop_limit
+  dynamic "metadata_options" {
+    for_each = each.value.enable_metadata_options ? [1] : []
+
+    content {
+      http_endpoint               = try(each.value.http_endpoint, "enabled")
+      http_tokens                 = try(each.value.http_tokens, "required")
+      http_put_response_hop_limit = try(each.value.http_put_response_hop_limit, 2)
+      http_protocol_ipv6          = try(each.value.http_protocol_ipv6, null)
+      instance_metadata_tags      = try(each.value.instance_metadata_tags, null)
+    }
   }
 
   lifecycle {
diff --git a/modules/launch-templates/variables.tf b/modules/launch-templates/variables.tf
@@ -31,6 +31,7 @@ variable "launch_template_config" {
     post_userdata          = optional(string)
     kubelet_extra_args     = optional(string)
 
+    enable_metadata_options     = optional(bool)
     http_endpoint               = optional(string)
     http_tokens                 = optional(string)
     http_put_response_hop_limit = optional(number)
