Add var http_put_response_hop_limit with overridable default of 1.

Coalfire-CF · Oct 15, 2024 · f6e96d7 · f6e96d7
1 parent a0317f2
commit f6e96d7
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/ec2.tf b/ec2.tf
@@ -15,7 +15,7 @@ resource "aws_instance" "this" {
   get_password_data           = var.get_password_data
   metadata_options {
     http_endpoint               = "enabled"
-    http_put_response_hop_limit = 1
+    http_put_response_hop_limit = var.http_put_response_hop_limit
     http_tokens                 = var.http_tokens
     instance_metadata_tags      = "enabled"
   }

diff --git a/variables.tf b/variables.tf
@@ -235,10 +235,16 @@ EOF
 
 variable "http_tokens" {
   description = "Whether or not the metadata service requires session tokens, required=IMDSv2, optional=IMDSv1"
-  type        = any
+  type        = string
   default     = "required"
   validation {
     condition     = can(regex("^(required|optional)$", var.http_tokens))
     error_message = "ERROR: Valid values are 'required' or 'optional'."
   }
-}
+}
+
+variable "http_put_response_hop_limit" {
+  description = "Number of network hops to allow instance metadata.  This should be 2 or higher if using containers on instance and you want containers to access metadata."
+  type        = number
+  default     = 1
+}