feat(workers): Add option for disabling legacy IMDS (#1037)

Dirrk · web-flow · commit 24c0f7d159d1 · 2025-10-01T11:56:17.000+03:00
diff --git a/module-workers.tf b/module-workers.tf
@@ -47,35 +47,36 @@ module "workers" {
   worker_pools     = var.worker_pools
 
   # Workers
-  assign_dns                 = var.assign_dns
-  assign_public_ip           = var.worker_is_public
-  block_volume_type          = var.worker_block_volume_type
-  capacity_reservation_id    = var.worker_capacity_reservation_id
-  cloud_init                 = var.worker_cloud_init
-  disable_default_cloud_init = var.worker_disable_default_cloud_init
-  cni_type                   = var.cni_type
-  image_id                   = var.worker_image_id
-  image_ids                  = local.image_ids
-  image_os                   = var.worker_image_os
-  image_os_version           = var.worker_image_os_version
-  image_type                 = var.worker_image_type
-  indexed_images             = local.indexed_images
-  kubeproxy_mode             = var.kubeproxy_mode
-  max_pods_per_node          = var.max_pods_per_node
-  node_labels                = alltrue([var.cluster_type == "basic", var.cilium_install == true]) ? merge(var.worker_node_labels, { "oci.oraclecloud.com/custom-k8s-networking" = true }) : var.worker_node_labels
-  node_metadata              = var.worker_node_metadata
-  agent_config               = var.agent_config
-  platform_config            = var.platform_config
-  pod_nsg_ids                = concat(var.pod_nsg_ids, var.cni_type == "npn" ? [try(module.network.pod_nsg_id, null)] : [])
-  pod_subnet_id              = try(module.network.pod_subnet_id, "") # safe destroy; validated in submodule
-  pv_transit_encryption      = var.worker_pv_transit_encryption
-  shape                      = var.worker_shape
-  ssh_public_key             = local.ssh_public_key
-  timezone                   = var.timezone
-  volume_kms_key_id          = var.worker_volume_kms_key_id
-  worker_nsg_ids             = concat(var.worker_nsg_ids, [try(module.network.worker_nsg_id, null)])
-  worker_subnet_id           = try(module.network.worker_subnet_id, "") # safe destroy; validated in submodule
-  preemptible_config         = var.worker_preemptible_config
+  assign_dns                     = var.assign_dns
+  assign_public_ip               = var.worker_is_public
+  block_volume_type              = var.worker_block_volume_type
+  capacity_reservation_id        = var.worker_capacity_reservation_id
+  cloud_init                     = var.worker_cloud_init
+  disable_default_cloud_init     = var.worker_disable_default_cloud_init
+  cni_type                       = var.cni_type
+  image_id                       = var.worker_image_id
+  image_ids                      = local.image_ids
+  image_os                       = var.worker_image_os
+  image_os_version               = var.worker_image_os_version
+  image_type                     = var.worker_image_type
+  indexed_images                 = local.indexed_images
+  kubeproxy_mode                 = var.kubeproxy_mode
+  legacy_imds_endpoints_disabled = var.worker_legacy_imds_endpoints_disabled
+  max_pods_per_node              = var.max_pods_per_node
+  node_labels                    = alltrue([var.cluster_type == "basic", var.cilium_install == true]) ? merge(var.worker_node_labels, { "oci.oraclecloud.com/custom-k8s-networking" = true }) : var.worker_node_labels
+  node_metadata                  = var.worker_node_metadata
+  agent_config                   = var.agent_config
+  platform_config                = var.platform_config
+  pod_nsg_ids                    = concat(var.pod_nsg_ids, var.cni_type == "npn" ? [try(module.network.pod_nsg_id, null)] : [])
+  pod_subnet_id                  = try(module.network.pod_subnet_id, "") # safe destroy; validated in submodule
+  pv_transit_encryption          = var.worker_pv_transit_encryption
+  shape                          = var.worker_shape
+  ssh_public_key                 = local.ssh_public_key
+  timezone                       = var.timezone
+  volume_kms_key_id              = var.worker_volume_kms_key_id
+  worker_nsg_ids                 = concat(var.worker_nsg_ids, [try(module.network.worker_nsg_id, null)])
+  worker_subnet_id               = try(module.network.worker_subnet_id, "") # safe destroy; validated in submodule
+  preemptible_config             = var.worker_preemptible_config
 
   # Tagging
   tag_namespace    = var.tag_namespace
@@ -106,4 +107,4 @@ output "worker_pool_ids" {
 output "worker_pool_ips" {
   description = "Created worker instance private IPs by pool for available modes ('node-pool', 'instance')."
   value       = local.worker_count_expected > 0 ? try(one(module.workers[*].worker_pool_ips), null) : null
-}
+}
diff --git a/modules/workers/computecluster.tf b/modules/workers/computecluster.tf
@@ -46,7 +46,7 @@ resource "oci_core_compute_cluster" "workers" {
 resource "oci_core_instance" "compute_cluster_workers" {
   for_each = local.compute_cluster_instance_map
 
-  availability_domain  = (lookup(oci_core_compute_cluster.shared, lookup(each.value, "compute_cluster", ""), null) != null ?
+  availability_domain = (lookup(oci_core_compute_cluster.shared, lookup(each.value, "compute_cluster", ""), null) != null ?
     oci_core_compute_cluster.shared[lookup(each.value, "compute_cluster", "")].availability_domain :
     lookup(each.value, "placement_ad", null) != null ? lookup(var.ad_numbers_to_names, lookup(each.value, "placement_ad")) : element(each.value.availability_domains, 0)
   )
@@ -120,7 +120,7 @@ resource "oci_core_instance" "compute_cluster_workers" {
   }
 
   instance_options {
-    are_legacy_imds_endpoints_disabled = false
+    are_legacy_imds_endpoints_disabled = each.value.legacy_imds_endpoints_disabled
   }
 
   metadata = merge(
diff --git a/modules/workers/instance.tf b/modules/workers/instance.tf
@@ -69,7 +69,7 @@ resource "oci_core_instance" "workers" {
   }
 
   instance_options {
-    are_legacy_imds_endpoints_disabled = false
+    are_legacy_imds_endpoints_disabled = each.value.legacy_imds_endpoints_disabled
   }
 
   metadata = merge(
diff --git a/modules/workers/instanceconfig.tf b/modules/workers/instanceconfig.tf
@@ -38,7 +38,7 @@ resource "oci_core_instance_configuration" "workers" {
       capacity_reservation_id = each.value.capacity_reservation_id
 
       instance_options {
-        are_legacy_imds_endpoints_disabled = false
+        are_legacy_imds_endpoints_disabled = each.value.legacy_imds_endpoints_disabled
       }
 
       create_vnic_details {
diff --git a/modules/workers/locals.tf b/modules/workers/locals.tf
@@ -21,48 +21,49 @@ locals {
       is_monitoring_disabled   = false
       plugins_config           = {}
     }
-    allow_autoscaler             = false
-    assign_public_ip             = var.assign_public_ip
-    autoscale                    = false
-    block_volume_type            = var.block_volume_type
-    boot_volume_size             = local.boot_volume_size
-    boot_volume_vpus_per_gb      = local.boot_volume_vpus_per_gb
-    capacity_reservation_id      = var.capacity_reservation_id
-    cloud_init                   = [] # empty pool-specific default
-    compartment_id               = var.compartment_id
-    create                       = true
-    disable_default_cloud_init   = var.disable_default_cloud_init
-    drain                        = false
-    eviction_grace_duration      = 300
-    force_node_delete            = true
-    extended_metadata            = {} # empty pool-specific default
-    ignore_initial_pool_size     = false
-    image_id                     = var.image_id
-    image_type                   = var.image_type
-    kubernetes_version           = var.kubernetes_version
-    max_pods_per_node            = min(max(var.max_pods_per_node, 1), 110)
-    memory                       = local.memory
-    mode                         = var.worker_pool_mode
-    node_cycling_enabled         = false
-    node_cycling_max_surge       = 1
-    node_cycling_max_unavailable = 0
-    node_cycling_mode            = ["instance"]
-    node_labels                  = var.node_labels
-    nsg_ids                      = [] # empty pool-specific default
-    ocpus                        = local.ocpus
-    os                           = var.image_os
-    os_version                   = var.image_os_version
-    placement_ads                = var.ad_numbers
-    platform_config              = var.platform_config
-    pod_nsg_ids                  = var.pod_nsg_ids
-    pod_subnet_id                = coalesce(var.pod_subnet_id, var.worker_subnet_id, "none")
-    preemptible_config           = var.preemptible_config
-    pv_transit_encryption        = var.pv_transit_encryption
-    shape                        = local.shape
-    size                         = var.worker_pool_size
-    subnet_id                    = var.worker_subnet_id
-    taints                       = [] # empty pool-specific default
-    volume_kms_key_id            = var.volume_kms_key_id
+    allow_autoscaler               = false
+    legacy_imds_endpoints_disabled = var.legacy_imds_endpoints_disabled
+    assign_public_ip               = var.assign_public_ip
+    autoscale                      = false
+    block_volume_type              = var.block_volume_type
+    boot_volume_size               = local.boot_volume_size
+    boot_volume_vpus_per_gb        = local.boot_volume_vpus_per_gb
+    capacity_reservation_id        = var.capacity_reservation_id
+    cloud_init                     = [] # empty pool-specific default
+    compartment_id                 = var.compartment_id
+    create                         = true
+    disable_default_cloud_init     = var.disable_default_cloud_init
+    drain                          = false
+    eviction_grace_duration        = 300
+    force_node_delete              = true
+    extended_metadata              = {} # empty pool-specific default
+    ignore_initial_pool_size       = false
+    image_id                       = var.image_id
+    image_type                     = var.image_type
+    kubernetes_version             = var.kubernetes_version
+    max_pods_per_node              = min(max(var.max_pods_per_node, 1), 110)
+    memory                         = local.memory
+    mode                           = var.worker_pool_mode
+    node_cycling_enabled           = false
+    node_cycling_max_surge         = 1
+    node_cycling_max_unavailable   = 0
+    node_cycling_mode              = ["instance"]
+    node_labels                    = var.node_labels
+    nsg_ids                        = [] # empty pool-specific default
+    ocpus                          = local.ocpus
+    os                             = var.image_os
+    os_version                     = var.image_os_version
+    placement_ads                  = var.ad_numbers
+    platform_config                = var.platform_config
+    pod_nsg_ids                    = var.pod_nsg_ids
+    pod_subnet_id                  = coalesce(var.pod_subnet_id, var.worker_subnet_id, "none")
+    preemptible_config             = var.preemptible_config
+    pv_transit_encryption          = var.pv_transit_encryption
+    shape                          = local.shape
+    size                           = var.worker_pool_size
+    subnet_id                      = var.worker_subnet_id
+    taints                         = [] # empty pool-specific default
+    volume_kms_key_id              = var.volume_kms_key_id
   }
 
   # Merge desired pool configuration onto default values
@@ -172,11 +173,11 @@ locals {
       )
 
       # Override Node-cycling mode
-      node_cycling_mode = pool.node_cycling_mode != null ? [ for entry in pool.node_cycling_mode: lookup(local.supported_node_cycling_mode, lower(entry)) ] : null
-      
+      node_cycling_mode = pool.node_cycling_mode != null ? [for entry in pool.node_cycling_mode : lookup(local.supported_node_cycling_mode, lower(entry))] : null
+
     }) if tobool(pool.create)
   }
-  
+
   supported_node_cycling_mode = {
     instance    = "INSTANCE_REPLACE"
     boot_volume = "BOOT_VOLUME_REPLACE"
@@ -290,12 +291,12 @@ locals {
 
   # Yields {<pool name> = {<instance id> = <instance ip>}} for modes: 'node-pool', 'instance'
   worker_pool_ips = merge(local.worker_instance_ips, local.worker_nodepool_ips)
-  
+
   # Map of nodepools using Ubuntu images.
 
   ubuntu_supported_versions = {
-    "22.04" = "jammy"
-    "24.04" = "noble"
+    "22.04"         = "jammy"
+    "24.04"         = "noble"
     "22.04 Minimal" = "jammy"
     "24.04 Minimal" = "nobble"
   }
@@ -307,6 +308,6 @@ locals {
       ubuntu_release           = lookup(data.oci_core_image.workers[k], "operating_system_version", null) != null ? lookup(data.oci_core_image.workers[k], "operating_system_version") : lookup(v, "os_version", null)
     }
     if lookup(v, "mode", var.worker_pool_mode) != "virtual-node-pool" &&
-      contains(coalescelist(split(" ", lookup(data.oci_core_image.workers[k], "operating_system", "")), [lookup(v, "os", "")]), "Ubuntu")
+    contains(coalescelist(split(" ", lookup(data.oci_core_image.workers[k], "operating_system", "")), [lookup(v, "os", "")]), "Ubuntu")
   }
 }
diff --git a/modules/workers/variables.tf b/modules/workers/variables.tf
@@ -291,6 +291,12 @@ variable "max_pods_per_node" {
   }
 }
 
+variable "legacy_imds_endpoints_disabled" {
+  default     = false
+  description = "Whether to disable requests to the IMDSv1 endpoint and only allow requests to the IMDSv2 endpoint.  See <a href=https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringimds.htm>Instance Metadata</a> for more information."
+  type        = bool
+}
+
 variable "platform_config" {
   default     = null
   description = "Default platform_config for self-managed worker pools created with mode: 'instance', 'instance-pool', or 'cluster-network'. See <a href=https://docs.oracle.com/en-us/iaas/api/#/en/iaas/20160918/datatypes/PlatformConfig>PlatformConfig</a> for more information."
@@ -327,4 +333,4 @@ variable "compute_clusters" {
   default     = {}
   description = "Whether to create compute clusters shared by nodes across multiple worker pools enabled for 'compute-cluster'."
   type        = map(any)
-}
+}
diff --git a/variables-workers.tf b/variables-workers.tf
@@ -206,6 +206,12 @@ variable "worker_pv_transit_encryption" {
   type        = bool
 }
 
+variable "worker_legacy_imds_endpoints_disabled" {
+  default     = false
+  description = "Whether to disable requests to the IMDSv1 endpoint and only allow requests to the IMDSv2 endpoint.  See <a href=https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringimds.htm>Instance Metadata</a> for more information."
+  type        = bool
+}
+
 variable "max_pods_per_node" {
   default     = 31
   description = "The default maximum number of pods to deploy per node when unspecified on a pool. Absolute maximum is 110. Ignored when when cni_type != 'npn'."

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ resource "oci_core_compute_cluster" "workers" {`
`46`	`46`	`resource "oci_core_instance" "compute_cluster_workers" {`
`47`	`47`	`for_each = local.compute_cluster_instance_map`
`48`	`48`
`49`		`- availability_domain = (lookup(oci_core_compute_cluster.shared, lookup(each.value, "compute_cluster", ""), null) != null ?`
	`49`	`+ availability_domain = (lookup(oci_core_compute_cluster.shared, lookup(each.value, "compute_cluster", ""), null) != null ?`
`50`	`50`	`oci_core_compute_cluster.shared[lookup(each.value, "compute_cluster", "")].availability_domain :`
`51`	`51`	`lookup(each.value, "placement_ad", null) != null ? lookup(var.ad_numbers_to_names, lookup(each.value, "placement_ad")) : element(each.value.availability_domains, 0)`
`52`	`52`	`)`
`@@ -120,7 +120,7 @@ resource "oci_core_instance" "compute_cluster_workers" {`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`instance_options {`
`123`		`- are_legacy_imds_endpoints_disabled = false`
	`123`	`+ are_legacy_imds_endpoints_disabled = each.value.legacy_imds_endpoints_disabled`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`metadata = merge(`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ resource "oci_core_instance" "workers" {`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`instance_options {`
`72`		`- are_legacy_imds_endpoints_disabled = false`
	`72`	`+ are_legacy_imds_endpoints_disabled = each.value.legacy_imds_endpoints_disabled`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`metadata = merge(`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ resource "oci_core_instance_configuration" "workers" {`
`38`	`38`	`capacity_reservation_id = each.value.capacity_reservation_id`
`39`	`39`
`40`	`40`	`instance_options {`
`41`		`- are_legacy_imds_endpoints_disabled = false`
	`41`	`+ are_legacy_imds_endpoints_disabled = each.value.legacy_imds_endpoints_disabled`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`create_vnic_details {`