From 134f034c3d18702b3492aa66791b16b6df963905 Mon Sep 17 00:00:00 2001
From: Dima Ilchenko <dima@goteleport.com>
Date: Fri, 28 Oct 2022 11:31:40 -0400
Subject: [PATCH] Multiple fixes for "ghost" diffs (#5)

* Fix bug https://github.com/hashicorp/terraform-provider-aws/issues/25909#issuecomment-1218625304

* New proxy ACM validation approach

* No more license file

* terraform fmt
---
 acm.tf         | 24 +++++++++++++++++-------
 auth_asg.tf    |  3 ++-
 data.tf        |  5 -----
 monitor_asg.tf |  3 ++-
 node_asg.tf    |  3 ++-
 proxy_asg.tf   |  3 ++-
 ssm.tf         |  4 ++--
 variables.tf   |  7 +++++++
 8 files changed, 34 insertions(+), 18 deletions(-)

diff --git a/acm.tf b/acm.tf
index 7330785..d6134f1 100644
--- a/acm.tf
+++ b/acm.tf
@@ -18,16 +18,26 @@ resource "aws_acm_certificate" "cert" {
 }
 
 resource "aws_route53_record" "cert_validation" {
-  name    = tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_name
-  type    = tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_type
-  zone_id = data.aws_route53_zone.proxy.zone_id
-  records = [tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_value]
-  ttl     = 60
-  count   = var.use_acm ? 1 : 0
+  for_each = {
+    for dvo in aws_acm_certificate.cert[0].domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+  name            = each.value.name
+  records         = [each.value.record]
+  type            = each.value.type
+  allow_overwrite = true
+  zone_id         = data.aws_route53_zone.proxy.zone_id
+
+  depends_on = [
+    aws_acm_certificate.cert
+  ]
 }
 
 resource "aws_acm_certificate_validation" "cert" {
   certificate_arn         = aws_acm_certificate.cert[0].arn
-  validation_record_fqdns = [aws_route53_record.cert_validation[0].fqdn]
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
   count                   = var.use_acm ? 1 : 0
 }
diff --git a/auth_asg.tf b/auth_asg.tf
index d46e3e9..1ff4a4b 100644
--- a/auth_asg.tf
+++ b/auth_asg.tf
@@ -67,7 +67,8 @@ resource "aws_launch_configuration" "auth" {
     }
   )
   metadata_options {
-    http_tokens = "required"
+    http_endpoint = "enabled"
+    http_tokens   = "required"
   }
   root_block_device {
     encrypted = true
diff --git a/data.tf b/data.tf
index c6d0ece..170bfd6 100644
--- a/data.tf
+++ b/data.tf
@@ -8,8 +8,3 @@ data "aws_region" "current" {}
 data "aws_kms_alias" "ssm" {
   name = var.kms_alias_name
 }
-
-# Pick up the license path and make it accessible as a file
-data "local_file" "license" {
-  filename = var.license_path
-}
diff --git a/monitor_asg.tf b/monitor_asg.tf
index f115572..23ceb25 100644
--- a/monitor_asg.tf
+++ b/monitor_asg.tf
@@ -99,7 +99,8 @@ resource "aws_launch_configuration" "monitor" {
     }
   )
   metadata_options {
-    http_tokens = "required"
+    http_endpoint = "enabled"
+    http_tokens   = "required"
   }
   root_block_device {
     encrypted = true
diff --git a/node_asg.tf b/node_asg.tf
index 05b86e0..8f004a4 100644
--- a/node_asg.tf
+++ b/node_asg.tf
@@ -53,7 +53,8 @@ resource "aws_launch_configuration" "node" {
     }
   )
   metadata_options {
-    http_tokens = "required"
+    http_endpoint = "enabled"
+    http_tokens   = "required"
   }
   root_block_device {
     encrypted = true
diff --git a/proxy_asg.tf b/proxy_asg.tf
index 1e9628f..dd79d95 100644
--- a/proxy_asg.tf
+++ b/proxy_asg.tf
@@ -117,7 +117,8 @@ resource "aws_launch_configuration" "proxy" {
     }
   )
   metadata_options {
-    http_tokens = "required"
+    http_endpoint = "enabled"
+    http_tokens   = "required"
   }
   root_block_device {
     encrypted = true
diff --git a/ssm.tf b/ssm.tf
index 436f41d..85b1e8a 100644
--- a/ssm.tf
+++ b/ssm.tf
@@ -3,10 +3,10 @@
 // is destroyed, cluster will overwrite them with real values
 
 resource "aws_ssm_parameter" "license" {
-  count     = var.license_path != "" ? 1 : 0
+  count     = var.teleport_license != "" ? 1 : 0
   name      = "/teleport/${var.cluster_name}/license"
   type      = "SecureString"
-  value     = data.local_file.license.content
+  value     = var.teleport_license
   overwrite = true
 }
 
diff --git a/variables.tf b/variables.tf
index 0b190bc..76c6352 100644
--- a/variables.tf
+++ b/variables.tf
@@ -83,6 +83,13 @@ variable "license_path" {
   default = ""
 }
 
+# Contents of the Teleport Enterprise license to be used for the cluster
+variable "teleport_license" {
+  type      = string
+  default   = ""
+  sensitive = true
+}
+
 # Instance type used for auth autoscaling group
 variable "auth_instance_type" {
   type    = string