Remove breaking changes.

Author: tobyclemson

CHANGELOG.md

@@ -2,14 +2,20 @@
 
 BACKWARDS INCOMPATIBILITIES / NOTES:
 
-
-* IMDSv2 support is now on by default, this can be changed via the new
-  `cluster_instance_metadata_options` variable which mirrors 
-  aws_launch_template's [metadata_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options)
 * The `cluster_desired_capacity` is now ignored after the first `apply` of the
   module since, in the case of autoscaling or manual scaling, the value may have
   changed between `apply`s.
 
+IMPROVEMENTS:
+
+* A `cluster_instance_metadata_options` variable has been added which mirrors
+  the [metadata_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options)
+  exposed on the `aws_launch_template` resource. Among other things, this allows
+  users of this module to require that IMDSv2 be used by containers in the 
+  cluster. By default, IMDSv2 is not required in this version of the module but
+  a future major release of the module may enforce IMDSv2 usage.
+
+
 ## 6.0.0 (February 22th 2023)
 
 BACKWARDS INCOMPATIBILITIES / NOTES:

README.md

@@ -17,16 +17,16 @@ The ECS cluster consists of:
   instances
 * An SSH key to connect to the ECS container instances
 * A security group for the container instances optionally allowing:
-  * Outbound internet access for all containers
-  * Inbound TCP access on any port from the VPC network
+    * Outbound internet access for all containers
+    * Inbound TCP access on any port from the VPC network
 * An IAM role and policy for the container instances allowing:
-  * ECS interactions
-  * ECR image pulls
-  * S3 object fetches
-  * Logging to cloudwatch
+    * ECS interactions
+    * ECR image pulls
+    * S3 object fetches
+    * Logging to cloudwatch
 * An IAM role and policy for ECS services allowing:
-  * Elastic load balancer registration / deregistration
-  * EC2 describe actions and security group ingress rule creation
+    * Elastic load balancer registration / deregistration
+    * EC2 describe actions and security group ingress rule creation
 * A CloudWatch log group
 
 ![Diagram of infrastructure managed by this module](https://raw.githubusercontent.com/infrablocks/terraform-aws-ecs-cluster/main/docs/architecture.png)
@@ -39,25 +39,25 @@ configuration:
 
 ```hcl-terraform
 module "ecs_cluster" {
-  source = "infrablocks/ecs-cluster/aws"
+  source  = "infrablocks/ecs-cluster/aws"
   version = "5.0.0"
 
-  region = "eu-west-2"
-  vpc_id = "vpc-fb7dc365"
+  region     = "eu-west-2"
+  vpc_id     = "vpc-fb7dc365"
   subnet_ids = [
-   "subnet-eb32c271",
-   "subnet-64872d1f"
+    "subnet-eb32c271",
+    "subnet-64872d1f"
   ]
 
-  component = "important-component"
+  component             = "important-component"
   deployment_identifier = "production"
 
-  cluster_name = "services"
+  cluster_name                         = "services"
   cluster_instance_ssh_public_key_path = "~/.ssh/id_rsa.pub"
-  cluster_instance_type = "t3.small"
+  cluster_instance_type                = "t3.small"
 
-  cluster_minimum_size = 2
-  cluster_maximum_size = 10
+  cluster_minimum_size     = 2
+  cluster_maximum_size     = 10
   cluster_desired_capacity = 4
 }
 ```
@@ -91,9 +91,9 @@ for more details.
 | cluster_instance_root_block_device_type             | The type of the root block device on cluster instances ('standard', 'gp2', or 'io1')                   |     standard      |               yes               |
 | cluster_instance_user_data_template                 | The contents of a template for container instance user data                                            |   see user-data   |               no                |
 | cluster_instance_ami                                | AMI for the container instances                                                                        | ECS optimised AMI |               yes               |
+| cluster_instance_metadata_options                   | A map of metadata options for cluster instances.                                                       |         -         |               no                |
 | cluster_instance_iam_policy_contents                | The contents of the cluster instance IAM policy                                                        |   see policies    |               no                |
 | cluster_service_iam_policy_contents                 | The contents of the cluster service IAM policy                                                         |   see policies    |               no                |
-| cluster_instance_metadata_options                   | Map of metadata_options for cluster instances. | { http_tokens = "required" } | no |
 | cluster_minimum_size                                | The minimum size of the ECS cluster                                                                    |         1         |               yes               |
 | cluster_maximum_size                                | The maximum size of the ECS cluster                                                                    |        10         |               yes               |
 | cluster_desired_capacity                            | The desired capacity of the ECS cluster                                                                |         3         |               yes               |
@@ -119,7 +119,6 @@ for more details.
 Notes:
 
 * By default, the latest available Amazon Linux 2 AMI is used.
-* By default, [IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) is now required for [security reasons](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/)
 * For Amazon Linux 1 AMIs use version <= 0.6.0 of this module for terraform 0.11
   or version = 1.0.0 for terraform 0.12.
 * When a specific AMI is provided via `cluster_instance_ami`, only the root
@@ -204,7 +203,6 @@ Terraform 1.0.
 * logs:ListTagsLogGroup
 * logs:DeleteLogGroup
 
-
 Development
 -----------
 

asg.tf

@@ -8,6 +8,7 @@ locals {
   cluster_user_data = replace(
     local.cluster_user_data_template,
     "$${cluster_name}", local.cluster_full_name)
+  cluster_instance_metadata_options = var.cluster_instance_metadata_options == null ? {} : var.cluster_instance_metadata_options
 }
 
 data "aws_ami" "amazon_linux_2" {
@@ -31,11 +32,11 @@ resource "aws_launch_template" "cluster" {
   }
 
   metadata_options {
-    http_endpoint               = lookup(var.cluster_instance_metadata_options, "http_endpoint", null)
-    http_tokens                 = lookup(var.cluster_instance_metadata_options, "http_tokens", null)
-    http_put_response_hop_limit = lookup(var.cluster_instance_metadata_options, "http_put_response_hop_limit", null)
-    instance_metadata_tags      = lookup(var.cluster_instance_metadata_options, "instance_metadata_tags", null)
-    http_protocol_ipv6          = lookup(var.cluster_instance_metadata_options, "http_protocol_ipv6", null)
+    http_endpoint               = lookup(local.cluster_instance_metadata_options, "http_endpoint", null)
+    http_tokens                 = lookup(local.cluster_instance_metadata_options, "http_tokens", null)
+    http_put_response_hop_limit = lookup(local.cluster_instance_metadata_options, "http_put_response_hop_limit", null)
+    instance_metadata_tags      = lookup(local.cluster_instance_metadata_options, "instance_metadata_tags", null)
+    http_protocol_ipv6          = lookup(local.cluster_instance_metadata_options, "http_protocol_ipv6", null)
   }
 
   user_data = base64encode(local.cluster_user_data)

spec/unit/launch_template_spec.rb

@@ -238,20 +238,7 @@
   end
 
   describe 'metadata options' do
-    it 'requires http_tokens (IMDSv2) by default' do
-      expect(@plan)
-        .to(include_resource_creation(type: 'aws_launch_template')
-              .with_attribute_value(
-                :metadata_options,
-                including(
-                  including({
-                              http_tokens: 'required'
-                            })
-                )
-              ))
-    end
-
-    it 'http_protocol_ipv6 and instance_metadata_tags disabled by default' do
+    it 'disables http_protocol_ipv6 and instance_metadata_tags by default' do
       expect(@plan)
         .to(include_resource_creation(type: 'aws_launch_template')
               .with_attribute_value(
@@ -270,7 +257,7 @@
         @plan = plan(role: :root) do |vars|
           vars.cluster_instance_metadata_options = {
             http_endpoint: 'enabled',
-            http_tokens: 'optional',
+            http_tokens: 'required',
             http_protocol_ipv6: 'enabled',
             instance_metadata_tags: 'enabled',
             http_put_response_hop_limit: 15
@@ -285,7 +272,7 @@
                   :metadata_options,
                   including(including({
                                         http_endpoint: 'enabled',
-                                        http_tokens: 'optional',
+                                        http_tokens: 'required',
                                         http_protocol_ipv6: 'enabled',
                                         instance_metadata_tags: 'enabled',
                                         http_put_response_hop_limit: 15

variables.tf

@@ -80,10 +80,7 @@ variable "cluster_instance_iam_policy_contents" {
 variable "cluster_instance_metadata_options" {
   description = "The metadata_options for cluster instances."
   type        = map
-  default     = {
-    http_tokens = "required"      # AWS Recommended default: IMDSv2 required
-  }
-  nullable    = false
+  default     = null
 }
 variable "cluster_service_iam_policy_contents" {
   description = "The contents of the cluster service IAM policy."