From: Lucas Di Pentima <lucas.dipentima@curii.com>
Date: Wed, 13 Mar 2024 17:45:30 +0000 (-0300)
Subject: 21585: Updates installer's Terraform code to require IMDSv2 on service nodes.
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/f10e92fe095a7b292dde71da0f1d8465312236d7?hp=6b9cb6715bb7c04b2a425bc28b41a51f8a273a7a

21585: Updates installer's Terraform code to require IMDSv2 on service nodes.

Applying this change to an already working cluster won't recreate any resource,
just change the settings in place.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima@curii.com>
---

diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf
index bdb2bdcc36..54e2fc412b 100644
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -67,7 +67,10 @@ resource "aws_instance" "arvados_service" {
     volume_type = "gp3"
     volume_size = try(var.instance_volume_size[each.value], var.instance_volume_size.default)
   }
-
+  metadata_options {
+    # Sets IMDSv2 to required. Default is "optional".
+    http_tokens = "required"
+  }
   lifecycle {
     ignore_changes = [
       # Avoids recreating the instance when the latest AMI changes.