chore: updated ec2 configurations to require imdsv2

psekar · psekar · commit e0ef9be90f27 · 2025-09-02T17:26:39.000-07:00
diff --git a/enos/README.md b/enos/README.md
@@ -66,6 +66,8 @@ following lines
 127.0.0.1       localhost       worker
 127.0.0.1       localhost       vault
 ```
+### AWS Credentials
+Copy the AWS Account credentials from doormat and set it in the terminal, where the enos commands are run.
 
 ## Executing Scenarios
 From the `enos` directory:
diff --git a/enos/modules/aws_boundary/boundary-instances.tf b/enos/modules/aws_boundary/boundary-instances.tf
@@ -26,6 +26,11 @@ resource "aws_instance" "controller" {
     encrypted   = true
   }
 
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
   tags = merge(local.common_tags,
     {
       Name = "${local.name_prefix}-boundary-controller-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}"
@@ -54,6 +59,11 @@ resource "aws_instance" "worker" {
     encrypted   = true
   }
 
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
   tags = merge(local.common_tags,
     {
       Name = "${local.name_prefix}-boundary-worker-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}",
diff --git a/enos/modules/aws_rdp_domain_controller/main.tf b/enos/modules/aws_rdp_domain_controller/main.tf
@@ -281,6 +281,7 @@ resource "aws_instance" "domain_controller" {
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_rdp_member_server/main.tf b/enos/modules/aws_rdp_member_server/main.tf
@@ -207,6 +207,7 @@ ${var.domain_admin_password}
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_rdp_member_server_with_worker/main.tf b/enos/modules/aws_rdp_member_server_with_worker/main.tf
@@ -222,6 +222,7 @@ ${var.domain_admin_password}
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_target/main.tf b/enos/modules/aws_target/main.tf
@@ -126,13 +126,18 @@ resource "aws_instance" "target" {
     "Type" : "target",
     "Project" : "Enos",
     "Project Name" : "qti-enos-boundary",
-    "Environment" : var.environment
+    "Environment" : var.environment,
     "Enos User" : var.enos_user,
   })
 
   root_block_device {
     encrypted = true
   }
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_remote_exec" "wait" {
diff --git a/enos/modules/aws_vault/vault-instances.tf b/enos/modules/aws_vault/vault-instances.tf
@@ -17,6 +17,11 @@ resource "aws_instance" "vault_instance" {
       Type = local.vault_cluster_tag
     },
   )
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_remote_exec" "install_dependencies" {
diff --git a/enos/modules/aws_windows_client/main.tf b/enos/modules/aws_windows_client/main.tf
@@ -247,6 +247,7 @@ resource "aws_instance" "client" {
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_worker/main.tf b/enos/modules/aws_worker/main.tf
@@ -161,6 +161,11 @@ resource "aws_instance" "worker" {
       Name = "${var.name_prefix}-boundary-worker-${split(":", data.aws_caller_identity.current.user_id)[1]}",
     },
   )
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_bundle_install" "worker" {

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,11 @@ resource "aws_instance" "controller" {`
`26`	`26`	`encrypted = true`
`27`	`27`	`}`
`28`	`28`
	`29`	`+ metadata_options {`
	`30`	`+ http_endpoint = "enabled"`
	`31`	`+ http_tokens = "required"`
	`32`	`+ }`
	`33`	`+`
`29`	`34`	`tags = merge(local.common_tags,`
`30`	`35`	`{`
`31`	`36`	`Name = "${local.name_prefix}-boundary-controller-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}"`
`@@ -54,6 +59,11 @@ resource "aws_instance" "worker" {`
`54`	`59`	`encrypted = true`
`55`	`60`	`}`
`56`	`61`
	`62`	`+ metadata_options {`
	`63`	`+ http_endpoint = "enabled"`
	`64`	`+ http_tokens = "required"`
	`65`	`+ }`
	`66`	`+`
`57`	`67`	`tags = merge(local.common_tags,`
`58`	`68`	`{`
`59`	`69`	`Name = "${local.name_prefix}-boundary-worker-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}",`
Original file line number	Diff line number	Diff line change
`@@ -281,6 +281,7 @@ resource "aws_instance" "domain_controller" {`
`281`	`281`
`282`	`282`	`metadata_options {`
`283`	`283`	`http_endpoint = "enabled"`
	`284`	`+ http_tokens = "required"`
`284`	`285`	`instance_metadata_tags = "enabled"`
`285`	`286`	`}`
`286`	`287`	`get_password_data = true`
Original file line number	Diff line number	Diff line change
`@@ -207,6 +207,7 @@ ${var.domain_admin_password}`
`207`	`207`
`208`	`208`	`metadata_options {`
`209`	`209`	`http_endpoint = "enabled"`
	`210`	`+ http_tokens = "required"`
`210`	`211`	`instance_metadata_tags = "enabled"`
`211`	`212`	`}`
`212`	`213`	`get_password_data = true`
Original file line number	Diff line number	Diff line change
`@@ -222,6 +222,7 @@ ${var.domain_admin_password}`
`222`	`222`
`223`	`223`	`metadata_options {`
`224`	`224`	`http_endpoint = "enabled"`
	`225`	`+ http_tokens = "required"`
`225`	`226`	`instance_metadata_tags = "enabled"`
`226`	`227`	`}`
`227`	`228`	`get_password_data = true`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,11 @@ resource "aws_instance" "vault_instance" {`
`17`	`17`	`Type = local.vault_cluster_tag`
`18`	`18`	`},`
`19`	`19`	`)`
	`20`	`+`
	`21`	`+ metadata_options {`
	`22`	`+ http_endpoint = "enabled"`
	`23`	`+ http_tokens = "required"`
	`24`	`+ }`
`20`	`25`	`}`
`21`	`26`
`22`	`27`	`resource "enos_remote_exec" "install_dependencies" {`
Original file line number	Diff line number	Diff line change
`@@ -247,6 +247,7 @@ resource "aws_instance" "client" {`
`247`	`247`
`248`	`248`	`metadata_options {`
`249`	`249`	`http_endpoint = "enabled"`
	`250`	`+ http_tokens = "required"`
`250`	`251`	`instance_metadata_tags = "enabled"`
`251`	`252`	`}`
`252`	`253`	`get_password_data = true`
Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,11 @@ resource "aws_instance" "worker" {`
`161`	`161`	`Name = "${var.name_prefix}-boundary-worker-${split(":", data.aws_caller_identity.current.user_id)[1]}",`
`162`	`162`	`},`
`163`	`163`	`)`
	`164`	`+`
	`165`	`+ metadata_options {`
	`166`	`+ http_endpoint = "enabled"`
	`167`	`+ http_tokens = "required"`
	`168`	`+ }`
`164`	`169`	`}`
`165`	`170`
`166`	`171`	`resource "enos_bundle_install" "worker" {`