feat(aws_launch_template): parametrize metadata_options (#63)

Author: Abhinav Khanna

README.md

@@ -288,6 +288,9 @@ Available targets:
 | launch\_template\_name | The name (not ID) of a custom launch template to use for the EKS node group. If provided, it must specify the AMI image id. | `string` | `null` | no |
 | launch\_template\_version | The version of the specified launch template to use. Defaults to latest version. | `string` | `null` | no |
 | max\_size | Maximum number of worker nodes | `number` | n/a | yes |
+| metadata\_http\_endpoint | Whether the metadata service is available. Can be enabled or disabled | `string` | `"enabled"` | no |
+| metadata\_http\_put\_response\_hop\_limit | The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Can be an integer from 1 to 64 | `number` | `2` | no |
+| metadata\_http\_tokens | Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Can be optional or required | `string` | `"optional"` | no |
 | min\_size | Minimum number of worker nodes | `number` | n/a | yes |
 | module\_depends\_on | Can be any value desired. Module will wait for this value to be computed before creating node group. | `any` | `null` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |

docs/terraform.md

@@ -82,6 +82,9 @@
 | launch\_template\_name | The name (not ID) of a custom launch template to use for the EKS node group. If provided, it must specify the AMI image id. | `string` | `null` | no |
 | launch\_template\_version | The version of the specified launch template to use. Defaults to latest version. | `string` | `null` | no |
 | max\_size | Maximum number of worker nodes | `number` | n/a | yes |
+| metadata\_http\_endpoint | Whether the metadata service is available. Can be enabled or disabled | `string` | `"enabled"` | no |
+| metadata\_http\_put\_response\_hop\_limit | The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Can be an integer from 1 to 64 | `number` | `2` | no |
+| metadata\_http\_tokens | Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Can be optional or required | `string` | `"optional"` | no |
 | min\_size | Minimum number of worker nodes | `number` | n/a | yes |
 | module\_depends\_on | Can be any value desired. Module will wait for this value to be computed before creating node group. | `any` | `null` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |

launch-template.tf

@@ -90,10 +90,12 @@ resource "aws_launch_template" "default" {
   #     If any containers that you deploy to the node group use the Instance Metadata Service Version 2,
   #     then make sure to set the Metadata response hop limit to 2 in your launch template.
   metadata_options {
-    http_put_response_hop_limit = 2
     # Despite being documented as "Optional", `http_endpoint` is required when `http_put_response_hop_limit` is set.
     # We set it to the default setting of "enabled".
-    http_endpoint = "enabled"
+
+    http_endpoint               = var.metadata_http_endpoint
+    http_put_response_hop_limit = var.metadata_http_put_response_hop_limit
+    http_tokens                 = var.metadata_http_tokens
   }
 
   vpc_security_group_ids = local.launch_template_vpc_security_group_ids

main.tf

@@ -2,11 +2,11 @@ locals {
   enabled = module.this.enabled
 
   # See https://aws.amazon.com/blogs/containers/introducing-launch-template-and-custom-ami-support-in-amazon-eks-managed-node-groups/
-  features_require_ami    = local.enabled && local.need_bootstrap
-  configured_ami_image_id = var.ami_image_id == null ? "" : var.ami_image_id
-  need_ami_id             = local.enabled ? local.features_require_ami && length(local.configured_ami_image_id) == 0 : false
-
-  features_require_launch_template = local.enabled ? length(var.resources_to_tag) > 0 || local.need_userdata || local.features_require_ami : false
+  features_require_ami             = local.enabled && local.need_bootstrap
+  configured_ami_image_id          = var.ami_image_id == null ? "" : var.ami_image_id
+  need_ami_id                      = local.enabled ? local.features_require_ami && length(local.configured_ami_image_id) == 0 : false
+  need_imds_settings               = var.metadata_http_endpoint != "enabled" || var.metadata_http_put_response_hop_limit != 1 || var.metadata_http_tokens != "optional"
+  features_require_launch_template = local.enabled ? length(var.resources_to_tag) > 0 || local.need_userdata || local.features_require_ami || local.need_imds_settings : false
 
   have_ssh_key = var.ec2_ssh_key != null && var.ec2_ssh_key != ""
 

variables.tf

@@ -279,3 +279,20 @@ variable "launch_template_disk_encryption_kms_key_id" {
   description = "Custom KMS Key ID to encrypt EBS volumes on EC2 instances, applicable only if `launch_template_disk_encryption_enabled` is set to true"
 }
 
+variable "metadata_http_put_response_hop_limit" {
+  default     = 2
+  type        = number
+  description = "The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Can be an integer from 1 to 64"
+}
+
+variable "metadata_http_endpoint" {
+  default     = "enabled"
+  type        = string
+  description = "Whether the metadata service is available. Can be enabled or disabled"
+}
+
+variable "metadata_http_tokens" {
+  default     = "optional"
+  type        = string
+  description = "Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Can be optional or required"
+}