From f6e96d7aabc36b4506e9ae436dd405c303f56063 Mon Sep 17 00:00:00 2001
From: Herman Wong <herman.wong@coalfire.com>
Date: Tue, 15 Oct 2024 14:03:26 -0700
Subject: [PATCH] Add var http_put_response_hop_limit with overridable default
 of 1.

---
 ec2.tf       |  2 +-
 variables.tf | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ec2.tf b/ec2.tf
index 6f1db75..fdec264 100644
--- a/ec2.tf
+++ b/ec2.tf
@@ -15,7 +15,7 @@ resource "aws_instance" "this" {
   get_password_data           = var.get_password_data
   metadata_options {
     http_endpoint               = "enabled"
-    http_put_response_hop_limit = 1
+    http_put_response_hop_limit = var.http_put_response_hop_limit
     http_tokens                 = var.http_tokens
     instance_metadata_tags      = "enabled"
   }
diff --git a/variables.tf b/variables.tf
index 30c3866..27adb23 100644
--- a/variables.tf
+++ b/variables.tf
@@ -235,10 +235,16 @@ EOF
 
 variable "http_tokens" {
   description = "Whether or not the metadata service requires session tokens, required=IMDSv2, optional=IMDSv1"
-  type        = any
+  type        = string
   default     = "required"
   validation {
     condition     = can(regex("^(required|optional)$", var.http_tokens))
     error_message = "ERROR: Valid values are 'required' or 'optional'."
   }
-}
\ No newline at end of file
+}
+
+variable "http_put_response_hop_limit" {
+  description = "Number of network hops to allow instance metadata.  This should be 2 or higher if using containers on instance and you want containers to access metadata."
+  type        = number
+  default     = 1
+}