From 805d04f6ca32cd6a3c2a883b7db05607dd166cf0 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Thu, 9 May 2024 17:33:10 +0900 Subject: [PATCH] Support ec2 instance metadata defaults in region (#117) --- modules/region/README.md | 8 +++++--- modules/region/ec2.tf | 22 ++++++++++++++++++++++ modules/region/outputs.tf | 5 +++-- modules/region/variables.tf | 13 ++++++++++++- modules/region/versions.tf | 4 ++-- 5 files changed, 44 insertions(+), 8 deletions(-) diff --git a/modules/region/README.md b/modules/region/README.md index c1f60f5..8c45f31 100644 --- a/modules/region/README.md +++ b/modules/region/README.md @@ -5,6 +5,7 @@ This module creates following resources. - `aws_ebs_encryption_by_default` - `aws_ebs_default_kms_key` (optional) - `aws_ec2_image_block_public_access` +- `aws_ec2_instance_metadata_defaults` - `aws_ec2_serial_console_access` - `aws_macie2_organization_admin_account` (optional) - `aws_resourceexplorer2_index` (optional) @@ -16,8 +17,8 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.22 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.43 | ## Providers @@ -39,6 +40,7 @@ This module creates following resources. | [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource | | [aws_ec2_availability_zone_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_availability_zone_group) | resource | | [aws_ec2_image_block_public_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_image_block_public_access) | resource | +| [aws_ec2_instance_metadata_defaults.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_instance_metadata_defaults) | resource | | [aws_ec2_serial_console_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_serial_console_access) | resource | | [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource | | [aws_resourceexplorer2_index.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourceexplorer2_index) | resource | @@ -51,7 +53,7 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [ebs\_default\_encryption](#input\_ebs\_default\_encryption) | (Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.
(Optional) `enabled` - Whether or not default EBS encryption is enabled.
(Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. | 
object({
    enabled = optional(bool, false)
    kms_key = optional(string)
  })
| `{}` | no | -| [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
(Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
(Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | 
object({
    ami_public_access_enabled = optional(bool, false)
    serial_console_enabled    = optional(bool, false)
  })
| `{}` | no | +| [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
(Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
(Optional) `instance_metadata_defaults` - The configuration of the regional instance metadata default settings. `instance_metadata_defaults` as defined below.
(Optional) `http_enabled` - Whether to enable or disable the HTTP metadata endpoint on your instances. Defaults to `null` (No preference).
(Optional) `http_token_required` - Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Defaults to `false`. Defaults to `null` (No preference).
(Optional) `http_put_response_hop_limit` - A desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `null` (No preference).
(Optional) `instance_tags_enabled` - Whether to enable the access to instance tags from the instance metadata service. Defaults to `null` (No preference).
(Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | 
object({
    ami_public_access_enabled = optional(bool, false)
    instance_metadata_defaults = optional(object({
      http_enabled                = optional(bool)
      http_token_required         = optional(bool)
      http_put_response_hop_limit = optional(number)
      instance_tags_enabled       = optional(bool)
    }), {})
    serial_console_enabled = optional(bool, false)
  })
| `{}` | no | | [macie](#input\_macie) | (Optional) The configuration of Macie in the current AWS region. `macie` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. This can be configured only if Macie is enabled for the organization. The account must be a management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [resource\_explorer](#input\_resource\_explorer) | (Optional) The configuration of the Resource Explorer in the current AWS region. `resource_explorer` as defined below.
(Optional) `enabled` - Whether or not to enable the Resource Explorer in the current AWS region. Defaults to `true`.
(Optional) `index_type` - The type of the index. Valid values are `AGGREGATOR`, `LOCAL`. Defaults to `LOCAL`.
(Optional) `views` - A list of views to create. `views` as defined below.
(Required) `name` - The name of the view. The name must be no more than 64 characters long, and can include letters, digits, and the dash (-) character. The name must be unique within its AWS Region.
(Optional) `is_default` - Whether the view is the default view for the AWS Region. Defaults to `false`.
(Optional) `filter_queries` - A list of filter queries. Specify which resources are included in the results of queries made using this view. The filter string is combined using a logical AND operator. Defaults to `[]` (include all resources).
(Optional) `additional_resource_attributes` - A list of additional resource attributes. By default, the results include ARN, owner account, Region, service, and resource type. Valid values are `tags`. Defaults to `[]`. | 
object({
    enabled    = optional(bool, true)
    index_type = optional(string, "LOCAL")
    views = optional(list(object({
      name           = string
      is_default     = optional(bool, false)
      filter_queries = optional(list(string), [])

      additional_resource_attributes = optional(set(string), [])
    })), [])
  })
| `{}` | no | diff --git a/modules/region/ec2.tf b/modules/region/ec2.tf index 85bcbbb..7bb5fab 100644 --- a/modules/region/ec2.tf +++ b/modules/region/ec2.tf @@ -10,6 +10,28 @@ resource "aws_ec2_image_block_public_access" "this" { } +################################################### +# Instance Metadata Defaults for EC2 +################################################### + +resource "aws_ec2_instance_metadata_defaults" "this" { + http_endpoint = (var.ec2.instance_metadata_defaults.http_enabled != null + ? (var.ec2.instance_metadata_defaults.http_enabled ? "enabled" : "disabled") + : "no-preference" + ) + http_tokens = (var.ec2.instance_metadata_defaults.http_token_required != null + ? (var.ec2.instance_metadata_defaults.http_token_required ? "required" : "optional") + : "no-preference" + ) + http_put_response_hop_limit = coalesce(var.ec2.instance_metadata_defaults.http_put_response_hop_limit, -1) + + instance_metadata_tags = (var.ec2.instance_metadata_defaults.instance_tags_enabled != null + ? (var.ec2.instance_metadata_defaults.instance_tags_enabled ? "enabled" : "disabled") + : "no-preference" + ) +} + + ################################################### # Serial Consol Access for EC2 ################################################### diff --git a/modules/region/outputs.tf b/modules/region/outputs.tf index 3b6cac5..31e5391 100644 --- a/modules/region/outputs.tf +++ b/modules/region/outputs.tf @@ -38,8 +38,9 @@ output "ec2" { `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. EOF value = { - ami_public_access_enabled = aws_ec2_image_block_public_access.this.state == "unblocked" - serial_console_enabled = aws_ec2_serial_console_access.this.enabled + ami_public_access_enabled = aws_ec2_image_block_public_access.this.state == "unblocked" + instance_metadata_defaults = var.ec2.instance_metadata_defaults + serial_console_enabled = aws_ec2_serial_console_access.this.enabled } } diff --git a/modules/region/variables.tf b/modules/region/variables.tf index 80e8cab..18e92ad 100644 --- a/modules/region/variables.tf +++ b/modules/region/variables.tf @@ -16,11 +16,22 @@ variable "ec2" { description = <