Description
Is your request related to a new offering from AWS?
Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.
- Yes ✅: configuring IMDS options has been available for a long time.
Is your request related to a problem? Please describe.
Amazon announced in https://aws.amazon.com/blogs/aws/amazon-ec2-instance-metadata-service-imdsv2-by-default/ :
"Effective mid-2024, newly released Amazon EC2 instance types will use only version 2 of the EC2 Instance Metadata Service (IMDSv2)."
The Terraform module which creates EC2 instances is still enabling IMDSv1 by default. Could you please modify this?
Describe the solution you'd like.
When creating an EC2 instance with Terraform, I would like its MetadataOptions.HttpTokens to be set to required instead of optional.
Describe alternatives you've considered.
I have already been adding metadata_options = { http_tokens = "required" } in my projects, but it would be better if it was the default.
Additional context
IMDSv2 has been available since 2019, with advantages listed https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ . Disabling IMDSv1 enhances the security of EC2 instances as it limits the impact of some vulnerabilities (this was described in details on AWS News Blog).
The default value is currently defined in variables.tf:
terraform-aws-ec2-instance/variables.tf
Lines 157 to 165 in 6f851d8
Several other files seem to use "optional" as the default value for metadata_options.http_tokens and could be updated to use "required":
main.tf:terraform-aws-ec2-instance/main.tf
Line 125 in 6f851d8
terraform-aws-ec2-instance/main.tf
Line 303 in 6f851d8
terraform-aws-ec2-instance/main.tf
Line 497 in 6f851d8
wrappers/main.tf: