From cc620bf814c096b331d0bac096f9980b267c2bfe Mon Sep 17 00:00:00 2001
From: Dima Ilchenko <dima@goteleport.com>
Date: Thu, 27 Oct 2022 23:59:02 -0400
Subject: [PATCH 1/7] Fix bug
 https://github.com/hashicorp/terraform-provider-aws/issues/25909#issuecomment-1218625304

---
 auth_asg.tf    | 5 +++--
 monitor_asg.tf | 7 ++++---
 node_asg.tf    | 5 +++--
 proxy_asg.tf   | 5 +++--
 4 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/auth_asg.tf b/auth_asg.tf
index d46e3e9..3da9d37 100644
--- a/auth_asg.tf
+++ b/auth_asg.tf
@@ -47,7 +47,7 @@ resource "aws_launch_configuration" "auth" {
   name_prefix   = "${substr(var.cluster_name, 0, 16)}-auth-"
   image_id      = var.ami_id
   instance_type = var.auth_instance_type
-  user_data = templatefile(
+  user_data     = templatefile(
     "${path.module}/auth-user-data.tpl",
     {
       region                   = data.aws_region.current.name
@@ -67,7 +67,8 @@ resource "aws_launch_configuration" "auth" {
     }
   )
   metadata_options {
-    http_tokens = "required"
+    http_endpoint = "enabled"
+    http_tokens   = "required"
   }
   root_block_device {
     encrypted = true
diff --git a/monitor_asg.tf b/monitor_asg.tf
index f115572..2cb8421 100644
--- a/monitor_asg.tf
+++ b/monitor_asg.tf
@@ -85,7 +85,7 @@ resource "aws_launch_configuration" "monitor" {
   name_prefix   = "${var.cluster_name}-monitor-"
   image_id      = var.ami_id
   instance_type = var.monitor_instance_type
-  user_data = templatefile(
+  user_data     = templatefile(
     "${path.module}/monitor-user-data.tpl",
     {
       region           = data.aws_region.current.name
@@ -99,7 +99,8 @@ resource "aws_launch_configuration" "monitor" {
     }
   )
   metadata_options {
-    http_tokens = "required"
+    http_endpoint = "enabled"
+    http_tokens   = "required"
   }
   root_block_device {
     encrypted = true
@@ -116,7 +117,7 @@ resource "aws_security_group" "monitor" {
   name        = "${var.cluster_name}-monitor"
   description = "SG for ${var.cluster_name}-monitor"
   vpc_id      = local.vpc_id
-  tags = {
+  tags        = {
     TeleportCluster = var.cluster_name
   }
 }
diff --git a/node_asg.tf b/node_asg.tf
index 05b86e0..d9ac5f8 100644
--- a/node_asg.tf
+++ b/node_asg.tf
@@ -41,7 +41,7 @@ resource "aws_launch_configuration" "node" {
   name_prefix   = "${var.cluster_name}-node-"
   image_id      = var.ami_id
   instance_type = var.node_instance_type
-  user_data = templatefile(
+  user_data     = templatefile(
     "${path.module}/node-user-data.tpl",
     {
       region           = data.aws_region.current.name
@@ -53,7 +53,8 @@ resource "aws_launch_configuration" "node" {
     }
   )
   metadata_options {
-    http_tokens = "required"
+    http_endpoint = "enabled"
+    http_tokens   = "required"
   }
   root_block_device {
     encrypted = true
diff --git a/proxy_asg.tf b/proxy_asg.tf
index 1e9628f..f954c7e 100644
--- a/proxy_asg.tf
+++ b/proxy_asg.tf
@@ -100,7 +100,7 @@ resource "aws_launch_configuration" "proxy" {
   name_prefix   = "${substr(var.cluster_name, 0, 16)}-proxy-"
   image_id      = var.ami_id
   instance_type = var.proxy_instance_type
-  user_data = templatefile(
+  user_data     = templatefile(
     "${path.module}/proxy-user-data.tpl",
     {
       region                 = data.aws_region.current.name
@@ -117,7 +117,8 @@ resource "aws_launch_configuration" "proxy" {
     }
   )
   metadata_options {
-    http_tokens = "required"
+    http_endpoint = "enabled"
+    http_tokens   = "required"
   }
   root_block_device {
     encrypted = true

From de91df0bae301fff4cdcf2f17fcfd41eb6fb323d Mon Sep 17 00:00:00 2001
From: Dima Ilchenko <dima@goteleport.com>
Date: Fri, 28 Oct 2022 00:28:07 -0400
Subject: [PATCH 2/7] Attempt new proxy ACM validation approach

---
 acm.tf | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/acm.tf b/acm.tf
index 7330785..5d198c5 100644
--- a/acm.tf
+++ b/acm.tf
@@ -18,16 +18,26 @@ resource "aws_acm_certificate" "cert" {
 }
 
 resource "aws_route53_record" "cert_validation" {
-  name    = tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_name
-  type    = tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_type
-  zone_id = data.aws_route53_zone.proxy.zone_id
-  records = [tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_value]
-  ttl     = 60
-  count   = var.use_acm ? 1 : 0
+  for_each = {
+  for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
+    name   = dvo.resource_record_name
+    record = dvo.resource_record_value
+    type   = dvo.resource_record_type
+  }
+  }
+  name            = each.value.name
+  records         = [each.value.record]
+  type            = each.value.type
+  allow_overwrite = true
+  zone_id         = data.aws_route53_zone.proxy.zone_id
+
+  depends_on = [
+    aws_acm_certificate.cert
+  ]
 }
 
 resource "aws_acm_certificate_validation" "cert" {
   certificate_arn         = aws_acm_certificate.cert[0].arn
-  validation_record_fqdns = [aws_route53_record.cert_validation[0].fqdn]
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
   count                   = var.use_acm ? 1 : 0
 }

From bba16f33f78c59c299cb30f48ed02f61954ec0b0 Mon Sep 17 00:00:00 2001
From: Dima Ilchenko <dima@goteleport.com>
Date: Fri, 28 Oct 2022 00:38:21 -0400
Subject: [PATCH 3/7] Attempt new proxy ACM validation approach

---
 acm.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/acm.tf b/acm.tf
index 5d198c5..2a79921 100644
--- a/acm.tf
+++ b/acm.tf
@@ -18,13 +18,13 @@ resource "aws_acm_certificate" "cert" {
 }
 
 resource "aws_route53_record" "cert_validation" {
-  for_each = {
-  for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
+  for_each = [
+  for dvo in aws_acm_certificate.cert.domain_validation_options : {
     name   = dvo.resource_record_name
     record = dvo.resource_record_value
     type   = dvo.resource_record_type
   }
-  }
+  ]
   name            = each.value.name
   records         = [each.value.record]
   type            = each.value.type

From 944786c68d12feb59d8e2856124530b542c28aa0 Mon Sep 17 00:00:00 2001
From: Dima Ilchenko <dima@goteleport.com>
Date: Fri, 28 Oct 2022 00:52:10 -0400
Subject: [PATCH 4/7] Attempt new proxy ACM validation approach

---
 acm.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/acm.tf b/acm.tf
index 2a79921..149eb78 100644
--- a/acm.tf
+++ b/acm.tf
@@ -18,13 +18,13 @@ resource "aws_acm_certificate" "cert" {
 }
 
 resource "aws_route53_record" "cert_validation" {
-  for_each = [
-  for dvo in aws_acm_certificate.cert.domain_validation_options : {
+  for_each = {
+  for dvo in aws_acm_certificate.cert[0].domain_validation_options : dvo.domain_name => {
     name   = dvo.resource_record_name
     record = dvo.resource_record_value
     type   = dvo.resource_record_type
   }
-  ]
+  }
   name            = each.value.name
   records         = [each.value.record]
   type            = each.value.type

From d26c52c62062e52d7fbd4ff6d08049e4f1efe10d Mon Sep 17 00:00:00 2001
From: Dima Ilchenko <dima@goteleport.com>
Date: Fri, 28 Oct 2022 00:54:43 -0400
Subject: [PATCH 5/7] No more license file

---
 data.tf      | 5 -----
 ssm.tf       | 4 ++--
 variables.tf | 6 ++++++
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/data.tf b/data.tf
index c6d0ece..170bfd6 100644
--- a/data.tf
+++ b/data.tf
@@ -8,8 +8,3 @@ data "aws_region" "current" {}
 data "aws_kms_alias" "ssm" {
   name = var.kms_alias_name
 }
-
-# Pick up the license path and make it accessible as a file
-data "local_file" "license" {
-  filename = var.license_path
-}
diff --git a/ssm.tf b/ssm.tf
index 436f41d..85b1e8a 100644
--- a/ssm.tf
+++ b/ssm.tf
@@ -3,10 +3,10 @@
 // is destroyed, cluster will overwrite them with real values
 
 resource "aws_ssm_parameter" "license" {
-  count     = var.license_path != "" ? 1 : 0
+  count     = var.teleport_license != "" ? 1 : 0
   name      = "/teleport/${var.cluster_name}/license"
   type      = "SecureString"
-  value     = data.local_file.license.content
+  value     = var.teleport_license
   overwrite = true
 }
 
diff --git a/variables.tf b/variables.tf
index 0b190bc..601a568 100644
--- a/variables.tf
+++ b/variables.tf
@@ -83,6 +83,12 @@ variable "license_path" {
   default = ""
 }
 
+variable "teleport_license" {
+  type      = string
+  default   = ""
+  sensitive = true
+}
+
 # Instance type used for auth autoscaling group
 variable "auth_instance_type" {
   type    = string

From 27773a2316f066816b7fc484cfb61d1c28f78162 Mon Sep 17 00:00:00 2001
From: Dima Ilchenko <dima@goteleport.com>
Date: Fri, 28 Oct 2022 01:18:22 -0400
Subject: [PATCH 6/7] terraform fmt

---
 acm.tf         | 10 +++++-----
 auth_asg.tf    |  2 +-
 monitor_asg.tf |  4 ++--
 node_asg.tf    |  2 +-
 proxy_asg.tf   |  2 +-
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/acm.tf b/acm.tf
index 149eb78..d6134f1 100644
--- a/acm.tf
+++ b/acm.tf
@@ -19,11 +19,11 @@ resource "aws_acm_certificate" "cert" {
 
 resource "aws_route53_record" "cert_validation" {
   for_each = {
-  for dvo in aws_acm_certificate.cert[0].domain_validation_options : dvo.domain_name => {
-    name   = dvo.resource_record_name
-    record = dvo.resource_record_value
-    type   = dvo.resource_record_type
-  }
+    for dvo in aws_acm_certificate.cert[0].domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
   }
   name            = each.value.name
   records         = [each.value.record]
diff --git a/auth_asg.tf b/auth_asg.tf
index 3da9d37..1ff4a4b 100644
--- a/auth_asg.tf
+++ b/auth_asg.tf
@@ -47,7 +47,7 @@ resource "aws_launch_configuration" "auth" {
   name_prefix   = "${substr(var.cluster_name, 0, 16)}-auth-"
   image_id      = var.ami_id
   instance_type = var.auth_instance_type
-  user_data     = templatefile(
+  user_data = templatefile(
     "${path.module}/auth-user-data.tpl",
     {
       region                   = data.aws_region.current.name
diff --git a/monitor_asg.tf b/monitor_asg.tf
index 2cb8421..23ceb25 100644
--- a/monitor_asg.tf
+++ b/monitor_asg.tf
@@ -85,7 +85,7 @@ resource "aws_launch_configuration" "monitor" {
   name_prefix   = "${var.cluster_name}-monitor-"
   image_id      = var.ami_id
   instance_type = var.monitor_instance_type
-  user_data     = templatefile(
+  user_data = templatefile(
     "${path.module}/monitor-user-data.tpl",
     {
       region           = data.aws_region.current.name
@@ -117,7 +117,7 @@ resource "aws_security_group" "monitor" {
   name        = "${var.cluster_name}-monitor"
   description = "SG for ${var.cluster_name}-monitor"
   vpc_id      = local.vpc_id
-  tags        = {
+  tags = {
     TeleportCluster = var.cluster_name
   }
 }
diff --git a/node_asg.tf b/node_asg.tf
index d9ac5f8..8f004a4 100644
--- a/node_asg.tf
+++ b/node_asg.tf
@@ -41,7 +41,7 @@ resource "aws_launch_configuration" "node" {
   name_prefix   = "${var.cluster_name}-node-"
   image_id      = var.ami_id
   instance_type = var.node_instance_type
-  user_data     = templatefile(
+  user_data = templatefile(
     "${path.module}/node-user-data.tpl",
     {
       region           = data.aws_region.current.name
diff --git a/proxy_asg.tf b/proxy_asg.tf
index f954c7e..dd79d95 100644
--- a/proxy_asg.tf
+++ b/proxy_asg.tf
@@ -100,7 +100,7 @@ resource "aws_launch_configuration" "proxy" {
   name_prefix   = "${substr(var.cluster_name, 0, 16)}-proxy-"
   image_id      = var.ami_id
   instance_type = var.proxy_instance_type
-  user_data     = templatefile(
+  user_data = templatefile(
     "${path.module}/proxy-user-data.tpl",
     {
       region                 = data.aws_region.current.name

From 317bc5eb685f1be74a74e4ac5326d5d22e6ff371 Mon Sep 17 00:00:00 2001
From: Dima Ilchenko <dima@goteleport.com>
Date: Fri, 28 Oct 2022 11:24:52 -0400
Subject: [PATCH 7/7] Add comment to variable

---
 variables.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/variables.tf b/variables.tf
index 601a568..76c6352 100644
--- a/variables.tf
+++ b/variables.tf
@@ -83,6 +83,7 @@ variable "license_path" {
   default = ""
 }
 
+# Contents of the Teleport Enterprise license to be used for the cluster
 variable "teleport_license" {
   type      = string
   default   = ""