Merge pull request #95 from jeroenhabets/SECURITY_metadata_options

tobyclemson · web-flow · commit 851214c8742a · 2023-11-01T23:46:12.000Z
SECURITY: IMDSv2 support via new cluster_instance_metadata_options parameter
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,16 @@ BACKWARDS INCOMPATIBILITIES / NOTES:
   module since, in the case of autoscaling or manual scaling, the value may have
   changed between `apply`s.
 
+IMPROVEMENTS:
+
+* A `cluster_instance_metadata_options` variable has been added which mirrors
+  the [metadata_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options)
+  exposed on the `aws_launch_template` resource. Among other things, this allows
+  users of this module to require that IMDSv2 be used by containers in the 
+  cluster. By default, IMDSv2 is not required in this version of the module but
+  a future major release of the module may enforce IMDSv2 usage.
+
+
 ## 6.0.0 (February 22th 2023)
 
 BACKWARDS INCOMPATIBILITIES / NOTES:
diff --git a/README.md b/README.md
@@ -17,16 +17,16 @@ The ECS cluster consists of:
   instances
 * An SSH key to connect to the ECS container instances
 * A security group for the container instances optionally allowing:
-  * Outbound internet access for all containers
-  * Inbound TCP access on any port from the VPC network
+    * Outbound internet access for all containers
+    * Inbound TCP access on any port from the VPC network
 * An IAM role and policy for the container instances allowing:
-  * ECS interactions
-  * ECR image pulls
-  * S3 object fetches
-  * Logging to cloudwatch
+    * ECS interactions
+    * ECR image pulls
+    * S3 object fetches
+    * Logging to cloudwatch
 * An IAM role and policy for ECS services allowing:
-  * Elastic load balancer registration / deregistration
-  * EC2 describe actions and security group ingress rule creation
+    * Elastic load balancer registration / deregistration
+    * EC2 describe actions and security group ingress rule creation
 * A CloudWatch log group
 
 ![Diagram of infrastructure managed by this module](https://raw.githubusercontent.com/infrablocks/terraform-aws-ecs-cluster/main/docs/architecture.png)
@@ -39,25 +39,25 @@ configuration:
 
 ```hcl-terraform
 module "ecs_cluster" {
-  source = "infrablocks/ecs-cluster/aws"
+  source  = "infrablocks/ecs-cluster/aws"
   version = "5.0.0"
 
-  region = "eu-west-2"
-  vpc_id = "vpc-fb7dc365"
+  region     = "eu-west-2"
+  vpc_id     = "vpc-fb7dc365"
   subnet_ids = [
-   "subnet-eb32c271",
-   "subnet-64872d1f"
+    "subnet-eb32c271",
+    "subnet-64872d1f"
   ]
 
-  component = "important-component"
+  component             = "important-component"
   deployment_identifier = "production"
 
-  cluster_name = "services"
+  cluster_name                         = "services"
   cluster_instance_ssh_public_key_path = "~/.ssh/id_rsa.pub"
-  cluster_instance_type = "t3.small"
+  cluster_instance_type                = "t3.small"
 
-  cluster_minimum_size = 2
-  cluster_maximum_size = 10
+  cluster_minimum_size     = 2
+  cluster_maximum_size     = 10
   cluster_desired_capacity = 4
 }
 ```
@@ -91,6 +91,7 @@ for more details.
 | cluster_instance_root_block_device_type             | The type of the root block device on cluster instances ('standard', 'gp2', or 'io1')                   |     standard      |               yes               |
 | cluster_instance_user_data_template                 | The contents of a template for container instance user data                                            |   see user-data   |               no                |
 | cluster_instance_ami                                | AMI for the container instances                                                                        | ECS optimised AMI |               yes               |
+| cluster_instance_metadata_options                   | A map of metadata options for cluster instances.                                                       |         -         |               no                |
 | cluster_instance_iam_policy_contents                | The contents of the cluster instance IAM policy                                                        |   see policies    |               no                |
 | cluster_service_iam_policy_contents                 | The contents of the cluster service IAM policy                                                         |   see policies    |               no                |
 | cluster_minimum_size                                | The minimum size of the ECS cluster                                                                    |         1         |               yes               |
@@ -202,7 +203,6 @@ Terraform 1.0.
 * logs:ListTagsLogGroup
 * logs:DeleteLogGroup
 
-
 Development
 -----------
 
diff --git a/asg.tf b/asg.tf
@@ -8,6 +8,7 @@ locals {
   cluster_user_data = replace(
     local.cluster_user_data_template,
     "$${cluster_name}", local.cluster_full_name)
+  cluster_instance_metadata_options = var.cluster_instance_metadata_options == null ? {} : var.cluster_instance_metadata_options
 }
 
 data "aws_ami" "amazon_linux_2" {
@@ -30,6 +31,14 @@ resource "aws_launch_template" "cluster" {
     name = aws_iam_instance_profile.cluster.name
   }
 
+  metadata_options {
+    http_endpoint               = lookup(local.cluster_instance_metadata_options, "http_endpoint", null)
+    http_tokens                 = lookup(local.cluster_instance_metadata_options, "http_tokens", null)
+    http_put_response_hop_limit = lookup(local.cluster_instance_metadata_options, "http_put_response_hop_limit", null)
+    instance_metadata_tags      = lookup(local.cluster_instance_metadata_options, "instance_metadata_tags", null)
+    http_protocol_ipv6          = lookup(local.cluster_instance_metadata_options, "http_protocol_ipv6", null)
+  }
+
   user_data = base64encode(local.cluster_user_data)
 
   network_interfaces {
diff --git a/spec/unit/infra/root/main.tf b/spec/unit/infra/root/main.tf
@@ -29,6 +29,8 @@ module "ecs_cluster" {
   cluster_instance_enable_ebs_volume_encryption = var.cluster_instance_enable_ebs_volume_encryption
   cluster_instance_ebs_volume_kms_key_id = var.cluster_instance_ebs_volume_kms_key_id
 
+  cluster_instance_metadata_options = var.cluster_instance_metadata_options
+
   cluster_minimum_size     = var.cluster_minimum_size
   cluster_maximum_size     = var.cluster_maximum_size
   cluster_desired_capacity = var.cluster_desired_capacity
diff --git a/spec/unit/infra/root/variables.tf b/spec/unit/infra/root/variables.tf
@@ -28,6 +28,11 @@ variable "cluster_instance_root_block_device_path" {
   default = null
 }
 
+variable "cluster_instance_metadata_options" {
+  type = map
+  default = null
+}
+
 variable "cluster_minimum_size" {
   default = null
 }
diff --git a/spec/unit/launch_template_spec.rb b/spec/unit/launch_template_spec.rb
@@ -236,4 +236,49 @@
               ))
     end
   end
+
+  describe 'metadata options' do
+    it 'disables http_protocol_ipv6 and instance_metadata_tags by default' do
+      expect(@plan)
+        .to(include_resource_creation(type: 'aws_launch_template')
+              .with_attribute_value(
+                :metadata_options,
+                including(
+                  including({
+                              http_protocol_ipv6: 'disabled',
+                              instance_metadata_tags: 'disabled'
+                            })
+                )
+              ))
+    end
+
+    context 'when cluster_instance_metadata_options is provided' do
+      before(:context) do
+        @plan = plan(role: :root) do |vars|
+          vars.cluster_instance_metadata_options = {
+            http_endpoint: 'enabled',
+            http_tokens: 'required',
+            http_protocol_ipv6: 'enabled',
+            instance_metadata_tags: 'enabled',
+            http_put_response_hop_limit: 15
+          }
+        end
+      end
+
+      it 'uses provided metadata options' do
+        expect(@plan)
+          .to(include_resource_creation(type: 'aws_launch_template')
+                .with_attribute_value(
+                  :metadata_options,
+                  including(including({
+                                        http_endpoint: 'enabled',
+                                        http_tokens: 'required',
+                                        http_protocol_ipv6: 'enabled',
+                                        instance_metadata_tags: 'enabled',
+                                        http_put_response_hop_limit: 15
+                                      }))
+                ))
+      end
+    end
+  end
 end
diff --git a/variables.tf b/variables.tf
@@ -76,6 +76,12 @@ variable "cluster_instance_iam_policy_contents" {
   type        = string
   default     = null
 }
+
+variable "cluster_instance_metadata_options" {
+  description = "The metadata_options for cluster instances."
+  type        = map
+  default     = null
+}
 variable "cluster_service_iam_policy_contents" {
   description = "The contents of the cluster service IAM policy."
   type        = string

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,11 @@ variable "cluster_instance_root_block_device_path" {`
`28`	`28`	`default = null`
`29`	`29`	`}`
`30`	`30`
	`31`	`+variable "cluster_instance_metadata_options" {`
	`32`	`+ type = map`
	`33`	`+ default = null`
	`34`	`+}`
	`35`	`+`
`31`	`36`	`variable "cluster_minimum_size" {`
`32`	`37`	`default = null`
`33`	`38`	`}`