Alter user data for IMDSv2

Coalfire-CF · Oct 3, 2023 · 49ab3ea · 49ab3ea
1 parent c1f46c7
commit 49ab3ea
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 35 deletions.
diff --git a/ec2.tf b/ec2.tf
@@ -5,7 +5,16 @@ resource "aws_instance" "this" {
   count         = var.instance_count
   key_name      = var.ec2_key_pair
   monitoring    = true
-  user_data     = length(local.user_data) > 0 ? data.cloudinit_config.user_data[0].rendered : var.simple_user_data
+  user_data                   = var.user_data
+  user_data_base64            = var.user_data_base64
+  user_data_replace_on_change = var.user_data_replace_on_change
+  get_password_data           = var.get_password_data
+  metadata_options {
+    http_endpoint               = "enabled"
+    http_put_response_hop_limit = 1
+    http_tokens                 = "required"
+    instance_metadata_tags      = "enabled"
+  }
 
   ###  NETWORKING  ###
   subnet_id                   = element(var.subnet_ids, count.index)

diff --git a/locals.tf b/locals.tf
@@ -3,16 +3,6 @@ locals {
   create_sg   = length(var.ingress_rules) > 0 || length(var.egress_rules) > 0 ? 1 : 0
 }
 
-# Gathers user data from maps listed in module calls
-locals {
-  user_data = var.user_data == null ? null : [
-    for script in var.user_data : templatefile(
-      "${script["path"]["module_directory"]}/${script["path"]["folder_name"]}/${script["path"]["file_name"]}",
-      script["vars"]
-    )
-  ]
-}
-
 # For lb attachment
 locals {
   full_size = length(aws_instance.this.*.id) * length(var.target_group_arns)

diff --git a/user-data.tf b/user-data.tf
diff --git a/variables.tf b/variables.tf
@@ -174,21 +174,27 @@ variable "source_dest_check" {
 }
 
 variable "user_data" {
-  description = "a list of maps that contain the path to the user data script (starting at the shellScript folder) and the variables for that script."
-  type        = list(map(any))
-  default     = []
+  description = "The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; see user_data_base64 instead"
+  type        = string
+  default     = null
+}
+
+variable "user_data_base64" {
+  description = "Can be used instead of user_data to pass base64-encoded binary data directly. Use this instead of user_data whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption"
+  type        = string
+  default     = null
 }
 
-variable "user_data_gzip" {
-  description = "Whether or not to gzip the user data for the instance"
+variable "user_data_replace_on_change" {
+  description = "When used in combination with user_data or user_data_base64 will trigger a destroy and recreate when set to true. Defaults to false if not set"
   type        = bool
-  default     = true
+  default     = null
 }
 
-variable "simple_user_data" {
-  description = "Simple string for 1 liner user data"
-  type        = string
-  default     = ""
+variable "get_password_data" {
+  description = "Whether or not to allow retrieval of the local admin password"
+  type        = bool
+  default     = false
 }
 
 variable "iam_profile" {