chore: updated ec2 configurations to require imdsv2 (#6005)

5 months ago · fac22dfc4a
parent 7ceedbc208
commit fac22dfc4a
9 changed files with 32 additions and 1 deletions
--- a/enos/README.md
+++ b/enos/README.md
@ -66,6 +66,8 @@ following lines
 127.0.0.1       localhost       worker
 127.0.0.1       localhost       vault
 ```
+### AWS Credentials
+Copy the AWS Account credentials from doormat and set it in the terminal, where the enos commands are run.

 ## Executing Scenarios
 From the `enos` directory:
--- a/enos/modules/aws_boundary/boundary-instances.tf
+++ b/enos/modules/aws_boundary/boundary-instances.tf
@ -26,6 +26,11 @@ resource "aws_instance" "controller" {
    encrypted   = true
  }

+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
  tags = merge(local.common_tags,
    {
      Name = "${local.name_prefix}-boundary-controller-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}"
@ -54,6 +59,11 @@ resource "aws_instance" "worker" {
    encrypted   = true
  }

+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
  tags = merge(local.common_tags,
    {
      Name = "${local.name_prefix}-boundary-worker-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}",
--- a/enos/modules/aws_rdp_domain_controller/main.tf
+++ b/enos/modules/aws_rdp_domain_controller/main.tf
@ -302,6 +302,7 @@ resource "aws_instance" "domain_controller" {

  metadata_options {
    http_endpoint          = "enabled"
+    http_tokens            = "required"
    instance_metadata_tags = "enabled"
  }
  get_password_data = true
--- a/enos/modules/aws_rdp_member_server/main.tf
+++ b/enos/modules/aws_rdp_member_server/main.tf
@ -234,6 +234,7 @@ ${var.domain_admin_password}

  metadata_options {
    http_endpoint          = "enabled"
+    http_tokens            = "required"
    instance_metadata_tags = "enabled"
  }
  get_password_data = true
--- a/enos/modules/aws_rdp_member_server_with_worker/main.tf
+++ b/enos/modules/aws_rdp_member_server_with_worker/main.tf
@ -251,6 +251,7 @@ ${var.domain_admin_password}

  metadata_options {
    http_endpoint          = "enabled"
+    http_tokens            = "required"
    instance_metadata_tags = "enabled"
  }
  get_password_data = true
--- a/enos/modules/aws_target/main.tf
+++ b/enos/modules/aws_target/main.tf
@ -126,13 +126,18 @@ resource "aws_instance" "target" {
    "Type" : "target",
    "Project" : "Enos",
    "Project Name" : "qti-enos-boundary",
-    "Environment" : var.environment
+    "Environment" : var.environment,
    "Enos User" : var.enos_user,
  })

  root_block_device {
    encrypted = true
  }
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }

 resource "enos_remote_exec" "wait" {
--- a/enos/modules/aws_vault/vault-instances.tf
+++ b/enos/modules/aws_vault/vault-instances.tf
@ -17,6 +17,11 @@ resource "aws_instance" "vault_instance" {
      Type = local.vault_cluster_tag
    },
  )
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }

 resource "enos_remote_exec" "install_dependencies" {
--- a/enos/modules/aws_windows_client/main.tf
+++ b/enos/modules/aws_windows_client/main.tf
@ -253,6 +253,7 @@ resource "aws_instance" "client" {

  metadata_options {
    http_endpoint          = "enabled"
+    http_tokens            = "required"
    instance_metadata_tags = "enabled"
  }
  get_password_data = true
--- a/enos/modules/aws_worker/main.tf
+++ b/enos/modules/aws_worker/main.tf
@ -161,6 +161,11 @@ resource "aws_instance" "worker" {
      Name = "${var.name_prefix}-boundary-worker-${split(":", data.aws_caller_identity.current.user_id)[1]}",
    },
  )
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }

 resource "enos_bundle_install" "worker" {