Merge pull request #26 from Coalfire-CF/add_fix_for_containers

Add var http_put_response_hop_limit with overridable default of 1.
Coalfire-CF · Oct 16, 2024 · 8599264 · 8599264
2 parents a0317f2 + 664acb6
commit 8599264
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -222,7 +222,8 @@ module "ad2" {
 | <a name="input_egress_rules"></a> [egress\_rules](#input\_egress\_rules) | The list of rules for egress traffic. Required fields for each rule are 'protocol', 'from\_port', 'to\_port', and at least one of 'cidr\_blocks', 'ipv6\_cidr\_blocks', 'security\_groups', 'self', or 'prefix\_list\_sg'. Optional fields are 'description' and those not used from the previous list | <pre>map(object({<br/>    cidr_ipv4                    = optional(string, null)<br/>    cidr_ipv6                    = optional(string, null)<br/>    description                  = optional(string, "Managed by Terraform")<br/>    from_port                    = optional(string, null)<br/>    ip_protocol                  = optional(string, null)<br/>    prefix_list_id               = optional(string, null)<br/>    referenced_security_group_id = optional(string, null)<br/>    to_port                      = optional(string, null)<br/>  }))</pre> | `{}` | no |
 | <a name="input_get_password_data"></a> [get\_password\_data](#input\_get\_password\_data) | Whether or not to allow retrieval of the local admin password | `bool` | `false` | no |
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | a map of strings that contains global level tags | `map(string)` | n/a | yes |
-| <a name="input_http_tokens"></a> [http\_tokens](#input\_http\_tokens) | Whether or not the metadata service requires session tokens, required=IMDSv2, optional=IMDSv1 | `any` | `"required"` | no |
+| <a name="input_http_put_response_hop_limit"></a> [http\_put\_response\_hop\_limit](#input\_http\_put\_response\_hop\_limit) | Number of network hops to allow instance metadata.  This should be 2 or higher if using containers on instance and you want containers to access metadata. | `number` | `1` | no |
+| <a name="input_http_tokens"></a> [http\_tokens](#input\_http\_tokens) | Whether or not the metadata service requires session tokens, required=IMDSv2, optional=IMDSv1 | `string` | `"required"` | no |
 | <a name="input_iam_policies"></a> [iam\_policies](#input\_iam\_policies) | A list of the iam policy ARNs to attach to the IAM role | `list(string)` | `[]` | no |
 | <a name="input_iam_profile"></a> [iam\_profile](#input\_iam\_profile) | A variable to attach an existing iam profile to the ec2 instance(s) created | `string` | `""` | no |
 | <a name="input_ingress_rules"></a> [ingress\_rules](#input\_ingress\_rules) | The list of rules for ingress traffic. Required fields for each rule are 'protocol', 'from\_port', 'to\_port', and at least one of 'cidr\_blocks', 'ipv6\_cidr\_blocks', 'security\_groups', 'self', or 'prefix\_list\_sg'. Optional fields are 'description' and those not used from the previous list | <pre>map(object({<br/>    cidr_ipv4                    = optional(string, null)<br/>    cidr_ipv6                    = optional(string, null)<br/>    description                  = optional(string, "Managed by Terraform")<br/>    from_port                    = optional(string, null)<br/>    ip_protocol                  = optional(string, null)<br/>    prefix_list_id               = optional(string, null)<br/>    referenced_security_group_id = optional(string, null)<br/>    to_port                      = optional(string, null)<br/>  }))</pre> | `{}` | no |

diff --git a/ec2.tf b/ec2.tf
@@ -15,7 +15,7 @@ resource "aws_instance" "this" {
   get_password_data           = var.get_password_data
   metadata_options {
     http_endpoint               = "enabled"
-    http_put_response_hop_limit = 1
+    http_put_response_hop_limit = var.http_put_response_hop_limit
     http_tokens                 = var.http_tokens
     instance_metadata_tags      = "enabled"
   }

diff --git a/variables.tf b/variables.tf
@@ -235,10 +235,16 @@ EOF
 
 variable "http_tokens" {
   description = "Whether or not the metadata service requires session tokens, required=IMDSv2, optional=IMDSv1"
-  type        = any
+  type        = string
   default     = "required"
   validation {
     condition     = can(regex("^(required|optional)$", var.http_tokens))
     error_message = "ERROR: Valid values are 'required' or 'optional'."
   }
-}
+}
+
+variable "http_put_response_hop_limit" {
+  description = "Number of network hops to allow instance metadata.  This should be 2 or higher if using containers on instance and you want containers to access metadata."
+  type        = number
+  default     = 1
+}