chore: updated ec2 configurations to require imdsv2 (#6005)

psekar · web-flow · commit fac22dfc4ab9 · 2025-09-30T13:40:18.000-04:00
diff --git a/enos/README.md b/enos/README.md
@@ -66,6 +66,8 @@ following lines
 127.0.0.1       localhost       worker
 127.0.0.1       localhost       vault
 ```
+### AWS Credentials
+Copy the AWS Account credentials from doormat and set it in the terminal, where the enos commands are run.
 
 ## Executing Scenarios
 From the `enos` directory:
diff --git a/enos/modules/aws_boundary/boundary-instances.tf b/enos/modules/aws_boundary/boundary-instances.tf
@@ -26,6 +26,11 @@ resource "aws_instance" "controller" {
     encrypted   = true
   }
 
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
   tags = merge(local.common_tags,
     {
       Name = "${local.name_prefix}-boundary-controller-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}"
@@ -54,6 +59,11 @@ resource "aws_instance" "worker" {
     encrypted   = true
   }
 
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
   tags = merge(local.common_tags,
     {
       Name = "${local.name_prefix}-boundary-worker-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}",
diff --git a/enos/modules/aws_rdp_domain_controller/main.tf b/enos/modules/aws_rdp_domain_controller/main.tf
@@ -302,6 +302,7 @@ resource "aws_instance" "domain_controller" {
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_rdp_member_server/main.tf b/enos/modules/aws_rdp_member_server/main.tf
@@ -234,6 +234,7 @@ ${var.domain_admin_password}
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_rdp_member_server_with_worker/main.tf b/enos/modules/aws_rdp_member_server_with_worker/main.tf
@@ -251,6 +251,7 @@ ${var.domain_admin_password}
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_target/main.tf b/enos/modules/aws_target/main.tf
@@ -126,13 +126,18 @@ resource "aws_instance" "target" {
     "Type" : "target",
     "Project" : "Enos",
     "Project Name" : "qti-enos-boundary",
-    "Environment" : var.environment
+    "Environment" : var.environment,
     "Enos User" : var.enos_user,
   })
 
   root_block_device {
     encrypted = true
   }
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_remote_exec" "wait" {
diff --git a/enos/modules/aws_vault/vault-instances.tf b/enos/modules/aws_vault/vault-instances.tf
@@ -17,6 +17,11 @@ resource "aws_instance" "vault_instance" {
       Type = local.vault_cluster_tag
     },
   )
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_remote_exec" "install_dependencies" {
diff --git a/enos/modules/aws_windows_client/main.tf b/enos/modules/aws_windows_client/main.tf
@@ -253,6 +253,7 @@ resource "aws_instance" "client" {
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_worker/main.tf b/enos/modules/aws_worker/main.tf
@@ -161,6 +161,11 @@ resource "aws_instance" "worker" {
       Name = "${var.name_prefix}-boundary-worker-${split(":", data.aws_caller_identity.current.user_id)[1]}",
     },
   )
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_bundle_install" "worker" {

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,11 @@ resource "aws_instance" "controller" {`
`26`	`26`	`encrypted = true`
`27`	`27`	`}`
`28`	`28`
	`29`	`+ metadata_options {`
	`30`	`+ http_endpoint = "enabled"`
	`31`	`+ http_tokens = "required"`
	`32`	`+ }`
	`33`	`+`
`29`	`34`	`tags = merge(local.common_tags,`
`30`	`35`	`{`
`31`	`36`	`Name = "${local.name_prefix}-boundary-controller-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}"`
`@@ -54,6 +59,11 @@ resource "aws_instance" "worker" {`
`54`	`59`	`encrypted = true`
`55`	`60`	`}`
`56`	`61`
	`62`	`+ metadata_options {`
	`63`	`+ http_endpoint = "enabled"`
	`64`	`+ http_tokens = "required"`
	`65`	`+ }`
	`66`	`+`
`57`	`67`	`tags = merge(local.common_tags,`
`58`	`68`	`{`
`59`	`69`	`Name = "${local.name_prefix}-boundary-worker-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}",`
Original file line number	Diff line number	Diff line change
`@@ -302,6 +302,7 @@ resource "aws_instance" "domain_controller" {`
`302`	`302`
`303`	`303`	`metadata_options {`
`304`	`304`	`http_endpoint = "enabled"`
	`305`	`+ http_tokens = "required"`
`305`	`306`	`instance_metadata_tags = "enabled"`
`306`	`307`	`}`
`307`	`308`	`get_password_data = true`
Original file line number	Diff line number	Diff line change
`@@ -234,6 +234,7 @@ ${var.domain_admin_password}`
`234`	`234`
`235`	`235`	`metadata_options {`
`236`	`236`	`http_endpoint = "enabled"`
	`237`	`+ http_tokens = "required"`
`237`	`238`	`instance_metadata_tags = "enabled"`
`238`	`239`	`}`
`239`	`240`	`get_password_data = true`
Original file line number	Diff line number	Diff line change
`@@ -251,6 +251,7 @@ ${var.domain_admin_password}`
`251`	`251`
`252`	`252`	`metadata_options {`
`253`	`253`	`http_endpoint = "enabled"`
	`254`	`+ http_tokens = "required"`
`254`	`255`	`instance_metadata_tags = "enabled"`
`255`	`256`	`}`
`256`	`257`	`get_password_data = true`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,11 @@ resource "aws_instance" "vault_instance" {`
`17`	`17`	`Type = local.vault_cluster_tag`
`18`	`18`	`},`
`19`	`19`	`)`
	`20`	`+`
	`21`	`+ metadata_options {`
	`22`	`+ http_endpoint = "enabled"`
	`23`	`+ http_tokens = "required"`
	`24`	`+ }`
`20`	`25`	`}`
`21`	`26`
`22`	`27`	`resource "enos_remote_exec" "install_dependencies" {`
Original file line number	Diff line number	Diff line change
`@@ -253,6 +253,7 @@ resource "aws_instance" "client" {`
`253`	`253`
`254`	`254`	`metadata_options {`
`255`	`255`	`http_endpoint = "enabled"`
	`256`	`+ http_tokens = "required"`
`256`	`257`	`instance_metadata_tags = "enabled"`
`257`	`258`	`}`
`258`	`259`	`get_password_data = true`
Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,11 @@ resource "aws_instance" "worker" {`
`161`	`161`	`Name = "${var.name_prefix}-boundary-worker-${split(":", data.aws_caller_identity.current.user_id)[1]}",`
`162`	`162`	`},`
`163`	`163`	`)`
	`164`	`+`
	`165`	`+ metadata_options {`
	`166`	`+ http_endpoint = "enabled"`
	`167`	`+ http_tokens = "required"`
	`168`	`+ }`
`164`	`169`	`}`
`165`	`170`
`166`	`171`	`resource "enos_bundle_install" "worker" {`