From 5ce6eb1eceac16351cc9dcd60cf7a9a666881f77 Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Sun, 30 Mar 2025 09:24:54 -0500
Subject: [PATCH] feat: Disable IMDSv1 per AWS default behavior change

---
 .pre-commit-config.yaml | 2 +-
 README.md               | 4 ++--
 main.tf                 | 6 +++---
 variables.tf            | 2 +-
 wrappers/main.tf        | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 7e4e7da..424b371 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.98.0
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
diff --git a/README.md b/README.md
index e3ee700..863555d 100644
--- a/README.md
+++ b/README.md
@@ -236,7 +236,7 @@ No modules.
 | <a name="input_key_name"></a> [key\_name](#input\_key\_name) | Key name of the Key Pair to use for the instance; which can be managed using the `aws_key_pair` resource | `string` | `null` | no |
 | <a name="input_launch_template"></a> [launch\_template](#input\_launch\_template) | Specifies a Launch Template to configure the instance. Parameters configured on this resource will override the corresponding parameters in the Launch Template | `map(string)` | `{}` | no |
 | <a name="input_maintenance_options"></a> [maintenance\_options](#input\_maintenance\_options) | The maintenance options for the instance | `any` | `{}` | no |
-| <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Customize the metadata options of the instance | `map(string)` | <pre>{<br/>  "http_endpoint": "enabled",<br/>  "http_put_response_hop_limit": 1,<br/>  "http_tokens": "optional"<br/>}</pre> | no |
+| <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Customize the metadata options of the instance | `map(string)` | <pre>{<br/>  "http_endpoint": "enabled",<br/>  "http_put_response_hop_limit": 1,<br/>  "http_tokens": "required"<br/>}</pre> | no |
 | <a name="input_monitoring"></a> [monitoring](#input\_monitoring) | If true, the launched EC2 instance will have detailed monitoring enabled | `bool` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be used on EC2 instance created | `string` | `""` | no |
 | <a name="input_network_interface"></a> [network\_interface](#input\_network\_interface) | Customize network interfaces to be attached at instance boot time | `list(map(string))` | `[]` | no |
@@ -244,7 +244,7 @@ No modules.
 | <a name="input_private_dns_name_options"></a> [private\_dns\_name\_options](#input\_private\_dns\_name\_options) | Customize the private DNS name options of the instance | `map(string)` | `{}` | no |
 | <a name="input_private_ip"></a> [private\_ip](#input\_private\_ip) | Private IP address to associate with the instance in a VPC | `string` | `null` | no |
 | <a name="input_putin_khuylo"></a> [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
-| <a name="input_root_block_device"></a> [root\_block\_device](#input\_root\_block\_device) | Customize details about the root block device of the instance. See [Block Devices](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices) for details | `list(any)` | `[]` | no |
+| <a name="input_root_block_device"></a> [root\_block\_device](#input\_root\_block\_device) | Customize details about the root block device of the instance. See Block Devices below for details | `list(any)` | `[]` | no |
 | <a name="input_secondary_private_ips"></a> [secondary\_private\_ips](#input\_secondary\_private\_ips) | A list of secondary private IPv4 addresses to assign to the instance's primary network interface (eth0) in a VPC. Can only be assigned to the primary network interface (eth0) attached at instance creation, not a pre-existing network interface i.e. referenced in a `network_interface block` | `list(string)` | `null` | no |
 | <a name="input_source_dest_check"></a> [source\_dest\_check](#input\_source\_dest\_check) | Controls if traffic is routed to the instance when the destination address does not match the instance. Used for NAT or VPNs | `bool` | `null` | no |
 | <a name="input_spot_block_duration_minutes"></a> [spot\_block\_duration\_minutes](#input\_spot\_block\_duration\_minutes) | The required duration for the Spot instances, in minutes. This value must be a multiple of 60 (60, 120, 180, 240, 300, or 360) | `number` | `null` | no |
diff --git a/main.tf b/main.tf
index 749e67d..01a520d 100644
--- a/main.tf
+++ b/main.tf
@@ -122,7 +122,7 @@ resource "aws_instance" "this" {
 
     content {
       http_endpoint               = try(metadata_options.value.http_endpoint, "enabled")
-      http_tokens                 = try(metadata_options.value.http_tokens, "optional")
+      http_tokens                 = try(metadata_options.value.http_tokens, "required")
       http_put_response_hop_limit = try(metadata_options.value.http_put_response_hop_limit, 1)
       instance_metadata_tags      = try(metadata_options.value.instance_metadata_tags, null)
     }
@@ -300,7 +300,7 @@ resource "aws_instance" "ignore_ami" {
 
     content {
       http_endpoint               = try(metadata_options.value.http_endpoint, "enabled")
-      http_tokens                 = try(metadata_options.value.http_tokens, "optional")
+      http_tokens                 = try(metadata_options.value.http_tokens, "required")
       http_put_response_hop_limit = try(metadata_options.value.http_put_response_hop_limit, 1)
       instance_metadata_tags      = try(metadata_options.value.instance_metadata_tags, null)
     }
@@ -494,7 +494,7 @@ resource "aws_spot_instance_request" "this" {
 
     content {
       http_endpoint               = try(metadata_options.value.http_endpoint, "enabled")
-      http_tokens                 = try(metadata_options.value.http_tokens, "optional")
+      http_tokens                 = try(metadata_options.value.http_tokens, "required")
       http_put_response_hop_limit = try(metadata_options.value.http_put_response_hop_limit, 1)
       instance_metadata_tags      = try(metadata_options.value.instance_metadata_tags, null)
     }
diff --git a/variables.tf b/variables.tf
index 38a1b5b..e59a9dc 100644
--- a/variables.tf
+++ b/variables.tf
@@ -160,7 +160,7 @@ variable "metadata_options" {
   default = {
     "http_endpoint"               = "enabled"
     "http_put_response_hop_limit" = 1
-    "http_tokens"                 = "optional"
+    "http_tokens"                 = "required"
   }
 }
 
diff --git a/wrappers/main.tf b/wrappers/main.tf
index 9ba0cdb..048da56 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -48,7 +48,7 @@ module "wrapper" {
   metadata_options = try(each.value.metadata_options, var.defaults.metadata_options, {
     "http_endpoint"               = "enabled"
     "http_put_response_hop_limit" = 1
-    "http_tokens"                 = "optional"
+    "http_tokens"                 = "required"
   })
   monitoring                          = try(each.value.monitoring, var.defaults.monitoring, null)
   name                                = try(each.value.name, var.defaults.name, "")