Merge pull request #41733 from hashicorp/security-terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional

ewbankkit · web-flow · commit 098ce2e27759 · 2025-03-07T13:30:14.000-05:00
Fix `terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional` security findings
diff --git a/examples/count/main.tf b/examples/count/main.tf
@@ -46,6 +46,11 @@ resource "aws_instance" "web" {
   instance_type = "t2.small"
   ami           = data.aws_ami.ubuntu.id
 
+  # Force IMDSv2.
+  metadata_options {
+    http_tokens = "required"
+  }
+
   # This will create 4 instances
   count = 4
 }
diff --git a/examples/eip/main.tf b/examples/eip/main.tf
@@ -67,7 +67,12 @@ resource "aws_instance" "web" {
   # this should be on port 80
   user_data = file("userdata.sh")
 
-  #Instance tags
+  # Force IMDSv2.
+  metadata_options {
+    http_tokens = "required"
+  }
+
+  # Instance tags.
   tags = {
     Name = "eip-example"
   }
diff --git a/examples/elb/main.tf b/examples/elb/main.tf
@@ -172,7 +172,12 @@ resource "aws_instance" "web" {
   subnet_id              = aws_subnet.tf_test_subnet.id
   user_data              = file("userdata.sh")
 
-  #Instance tags
+  # Force IMDSv2.
+  metadata_options {
+    http_tokens = "required"
+  }
+
+  # Instance tags
 
   tags = {
     Name = "elb-example"
diff --git a/examples/two-tier/main.tf b/examples/two-tier/main.tf
@@ -136,6 +136,11 @@ resource "aws_instance" "web" {
   # backend instances.
   subnet_id = aws_subnet.default.id
 
+  # Force IMDSv2.
+  metadata_options {
+    http_tokens = "required"
+  }
+
   # We run a remote provisioner on the instance after creating it.
   # In this case, we just install nginx and start it. By default,
   # this should be on port 80
diff --git a/internal/service/ec2/testdata/Instance/data.tags/main_gen.tf b/internal/service/ec2/testdata/Instance/data.tags/main_gen.tf
@@ -10,6 +10,10 @@ resource "aws_instance" "test" {
   ami           = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id
   instance_type = "t4g.nano"
 
+  metadata_options {
+    http_tokens = "required"
+  }
+
   tags = var.resource_tags
 }
 
diff --git a/internal/service/ec2/testdata/Instance/data.tags_defaults/main_gen.tf b/internal/service/ec2/testdata/Instance/data.tags_defaults/main_gen.tf
@@ -16,6 +16,10 @@ resource "aws_instance" "test" {
   ami           = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id
   instance_type = "t4g.nano"
 
+  metadata_options {
+    http_tokens = "required"
+  }
+
   tags = var.resource_tags
 }
 
diff --git a/internal/service/ec2/testdata/Instance/data.tags_ignore/main_gen.tf b/internal/service/ec2/testdata/Instance/data.tags_ignore/main_gen.tf
@@ -19,6 +19,10 @@ resource "aws_instance" "test" {
   ami           = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id
   instance_type = "t4g.nano"
 
+  metadata_options {
+    http_tokens = "required"
+  }
+
   tags = var.resource_tags
 }
 
diff --git a/internal/service/ec2/testdata/Instance/tags/main_gen.tf b/internal/service/ec2/testdata/Instance/tags/main_gen.tf
@@ -5,6 +5,10 @@ resource "aws_instance" "test" {
   ami           = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id
   instance_type = "t4g.nano"
 
+  metadata_options {
+    http_tokens = "required"
+  }
+
   tags = var.resource_tags
 }
 
diff --git a/internal/service/ec2/testdata/Instance/tagsComputed1/main_gen.tf b/internal/service/ec2/testdata/Instance/tagsComputed1/main_gen.tf
@@ -7,6 +7,10 @@ resource "aws_instance" "test" {
   ami           = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id
   instance_type = "t4g.nano"
 
+  metadata_options {
+    http_tokens = "required"
+  }
+
   tags = {
     (var.unknownTagKey) = null_resource.test.id
   }
diff --git a/internal/service/ec2/testdata/Instance/tagsComputed2/main_gen.tf b/internal/service/ec2/testdata/Instance/tagsComputed2/main_gen.tf
@@ -7,6 +7,10 @@ resource "aws_instance" "test" {
   ami           = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id
   instance_type = "t4g.nano"
 
+  metadata_options {
+    http_tokens = "required"
+  }
+
   tags = {
     (var.unknownTagKey) = null_resource.test.id
     (var.knownTagKey)   = var.knownTagValue
diff --git a/internal/service/ec2/testdata/Instance/tags_defaults/main_gen.tf b/internal/service/ec2/testdata/Instance/tags_defaults/main_gen.tf
@@ -11,6 +11,10 @@ resource "aws_instance" "test" {
   ami           = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id
   instance_type = "t4g.nano"
 
+  metadata_options {
+    http_tokens = "required"
+  }
+
   tags = var.resource_tags
 }
 
diff --git a/internal/service/ec2/testdata/Instance/tags_ignore/main_gen.tf b/internal/service/ec2/testdata/Instance/tags_ignore/main_gen.tf
@@ -14,6 +14,10 @@ resource "aws_instance" "test" {
   ami           = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id
   instance_type = "t4g.nano"
 
+  metadata_options {
+    http_tokens = "required"
+  }
+
   tags = var.resource_tags
 }
 
diff --git a/internal/service/ec2/testdata/tmpl/ec2_instance_tags.gtpl b/internal/service/ec2/testdata/tmpl/ec2_instance_tags.gtpl
@@ -2,6 +2,10 @@ resource "aws_instance" "test" {
   ami           = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id
   instance_type = "t4g.nano"
 
+  metadata_options {
+    http_tokens = "required"
+  }
+
 {{- template "tags" . }}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,10 @@ resource "aws_instance" "test" {`
`10`	`10`	`ami = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id`
`11`	`11`	`instance_type = "t4g.nano"`
`12`	`12`
	`13`	`+ metadata_options {`
	`14`	`+ http_tokens = "required"`
	`15`	`+ }`
	`16`	`+`
`13`	`17`	`tags = var.resource_tags`
`14`	`18`	`}`
`15`	`19`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,10 @@ resource "aws_instance" "test" {`
`16`	`16`	`ami = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id`
`17`	`17`	`instance_type = "t4g.nano"`
`18`	`18`
	`19`	`+ metadata_options {`
	`20`	`+ http_tokens = "required"`
	`21`	`+ }`
	`22`	`+`
`19`	`23`	`tags = var.resource_tags`
`20`	`24`	`}`
`21`	`25`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,10 @@ resource "aws_instance" "test" {`
`19`	`19`	`ami = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id`
`20`	`20`	`instance_type = "t4g.nano"`
`21`	`21`
	`22`	`+ metadata_options {`
	`23`	`+ http_tokens = "required"`
	`24`	`+ }`
	`25`	`+`
`22`	`26`	`tags = var.resource_tags`
`23`	`27`	`}`
`24`	`28`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,10 @@ resource "aws_instance" "test" {`
`5`	`5`	`ami = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id`
`6`	`6`	`instance_type = "t4g.nano"`
`7`	`7`
	`8`	`+ metadata_options {`
	`9`	`+ http_tokens = "required"`
	`10`	`+ }`
	`11`	`+`
`8`	`12`	`tags = var.resource_tags`
`9`	`13`	`}`
`10`	`14`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,10 @@ resource "aws_instance" "test" {`
`11`	`11`	`ami = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id`
`12`	`12`	`instance_type = "t4g.nano"`
`13`	`13`
	`14`	`+ metadata_options {`
	`15`	`+ http_tokens = "required"`
	`16`	`+ }`
	`17`	`+`
`14`	`18`	`tags = var.resource_tags`
`15`	`19`	`}`
`16`	`20`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,10 @@ resource "aws_instance" "test" {`
`14`	`14`	`ami = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id`
`15`	`15`	`instance_type = "t4g.nano"`
`16`	`16`
	`17`	`+ metadata_options {`
	`18`	`+ http_tokens = "required"`
	`19`	`+ }`
	`20`	`+`
`17`	`21`	`tags = var.resource_tags`
`18`	`22`	`}`
`19`	`23`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,10 @@ resource "aws_instance" "test" {`
`2`	`2`	`ami = data.aws_ami.amzn2-ami-minimal-hvm-ebs-arm64.id`
`3`	`3`	`instance_type = "t4g.nano"`
`4`	`4`
	`5`	`+ metadata_options {`
	`6`	`+ http_tokens = "required"`
	`7`	`+ }`
	`8`	`+`
`5`	`9`	`{{- template "tags" . }}`
`6`	`10`	`}`
`7`	`11`